【導(dǎo)讀】management. BS7799. 1. 11. 1SCOPE4. General4. Implementation5. Documentation5. Documentcontrol6. Records6. 4DETAILEDCONTROLS6. Securitypolicy6. Securityanization6. Outsourcing8. Personnelsecurity8. Usertraining9. Secureareas10. Generalcontrols11. Housekeeping12. Accesscontrol14. Compliance21. 1Scope. following.General. (seeFigure1).

　　

【正文】 s Duress alarms shall be provided for users who might be the target of coercion. Terminal timeout Inactive terminals in high risk locations or serving high risk systems shall shut down after a defined period of inactivity to prevent access by unauthorized persons. Limitation of connection time Restrictions on connection times shall be used to provide additional security for highrisk applications. Application access control Objective: To prevent unauthorized access to information held in information systems. Information access restriction Access to information and application system functions shall be restricted in accordance with the access control policy specified in . Sensitive system isolation Sensitive systems shall have a dedicated (isolated) puting environment. Monitoring system access and use Objective: To detect unauthorized activities. Event logging Audit logs recording exceptions and other securityrelevant events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. Monitoring system use Procedures for monitoring use of information processing facilities shall be established and the result of the monitoring activities reviewed regularly. Clock synchronization Computer clocks shall be syncronized for accurate recording. Mobile puting and teleworking Objective: To ensure information security when using mobile puting and teleworking facilities. Mobile puting A formal policy shall be in place and appropriate controls shall be adopted to protect against the risks of working with mobile puting facilities, in particular in unprotected environments. Teleworking Policies and procedures shall be developed to authorize and control teleworking activities. Systems development and maintenance Security requirements of systems Objective: To ensure that security is built into information systems. Security requirements analysis and specification Business requirements for new systems, or enhancements to existing systems shall specify the requirements for controls. Security in application systems Objective: To prevent loss, modification or misuse of user data in application systems. Input data validation Data input to application systems shall be validated to ensure that it is correct and appropriate. Control of internal processing Validation checks shall be incorporated into systems to detect corruption of the data processed. Message authentication Message authentication shall be used for applications where there is a security requirement to protect the integrity of the message content. Output data validation Data output from an application system shall be validated to ensure that the processing of stored information is correct and appropriate to the circumstances. Cryptographic controls Objective: To protect the confidentiality, authenticity or integrity of information. Policy on the use of cryptographic controls A policy on the use of cryptographic controls for the protection of information shall be developed and followed. Encryption Encryption shall be applied to protect the confidentiality of sensitive or critical information. Digital signatures Digital signatures shall be applied to protect the authenticity and integrity of electronic information. Nonrepudiation services Nonrepudiation services shall be used to resolve disputes about occurrence or nonoccurrence of an event or action. Key management A key management system based on an agreed set of standards, procedures and methods shall be used to support the use of cryptographic techniques. Security of system files Objective: To ensure that IT projects and support activities are conducted in a secure manner. Control of operational software Control shall be applied to the implementation of software on operational systems. Protection of system test data Test data shall be protected and controlled. Access control to program source library Strict control shall be maintained over access to program source libraries. Security in development and support processes Objective: To maintain the security of application system software and information. Change control procedures The implementation of changes shall be strictly controlled by the use of formal change control prodecures to minimize the corruption of information systems. Technical review of operating system changes Application systems shall be reviewed and tested when changes occur. Restrictions on changes to software packages Modifications to software packages shall be discouraged and essential changes strictly controlled. Covert channels and Trojan code The purchase, use and modification of software shall be controlled and checked to protect against possible covert channels and Trojan code. Outsourced software development Controls shall be applied to secure outsourced software development. Business continuity management Aspects of business continuity management Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. Business continuity management process There shall be a managed process in place for developing and maintaining business continuity throughout the anization. Business continuity and impact analysis A strategy plan, based on appropriate risk assessment, shall be developed for the overall approach t o business continuity. Writing and implementing continuity plans Plans shall be developed to maintain or restore business operations in a timely manner following interruption to, or failure of, critical business processes. Business continuity planning framework A single