【正文】 hould be in place requires careful planning and attention to detail. Information security management needs, as a minimum, participation by all employees in the anization. It may also require participation from suppliers, customers or shareholders. Specialist advice from outside anizations may also be needed. Information security controls are considerably cheaper and more effective if incorporated at the requirements specification and design stage. How to establish security requirements It is essential that an anization identifies its security requirements. There are three main sources. The first source is derived from assessing risks to the anization. Through risk assessment threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated. The second source is the legal, statutory, regulatory and contractual requirements that an anization, its trading partners, contractors and service providers have to satisfy. The third source is the particular set of principles, objectives and requirements for information processing that an anization has developed to support its operations. Assessing security risks Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. Risk assessment techniques can be applied to the whole anization, or only parts of it, as well as to individual information systems, specific system ponents or services where this is practicable, realistic and helpful. Risk assessment is systematic consideration of: a) The business harm likely to result from a security failure, taking into account the potential consequences of a loss of confidentiality, integrity or availability of the information and other assets。 b) Consider new threats and vulnerabilities。Information security starting point186。 b) safeguarding of anizational records (see )。 b) allocation of information security responsibilities (see )。 d) reporting security incidents (see )。 b) an approach to implementing security that is consistent with the anizational culture。 d) a good understanding of the security requirements, risk assessment and risk management。 f) distribution of guidance on information security policy and standards to all employees and contractors。 h) a prehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement. Developing your own guidelines This code of practice may be regarded as a starting point for developing anization specific guidance. Not all of the guidance and controls in this code of practice may be applicable. Furthermore, additional controls not included in this document may be required. When this happens it may be useful to retain crossreferences which will facilitate pliance checking by auditors and business partners. Table of Contents 1 SCOPE 11 2 TERMS AND DEFINITIONS 12 Information security 12 Risk assessment 12 Risk management 12 3 SECURITY POLICY 13 Information security policy 13 Information security policy document 13 Review and evaluation 13 4 SECURITY ORGANIZATION 14 Information security infrastructure 14 Management information security forum 14 Information security coordination 14 Allocation of information security responsibilities 15 Authorization process for information processing facilities 15 Specialist information security advice 16 Cooperation between anizations 16 Independent review of information security 16 Security of third party access 17 Identification of risks from third party access 17 Security requirements in third party contracts 18 Outsourcing 19 Security requirements in outsourcing contracts 19 5 ASSET CLASSIFICATION AND CONTROL 21 Accountability for assets 21 Inventory of assets 21 Information classification 21 Classification guidelines 21 Information labelling and handling 22 6 PERSONNEL SECURITY 23 Security in job definition and resourcing 23 Including security in job responsibilities 23 Personnel screening and policy 23 Confidentiality agreements 23 Terms and conditions of employment 24 User training 24 Information security education and training 24 Responding to security incidents and malfunctions 24 Reporting security incidents 25 Reporting security weaknesses 25 Reporting software malfunctions 25 Learning from incidents 25 Disciplinary process 25 7 PHYSICAL AND ENVIRONMENTAL SECURITY 26 Secure areas 26 Physical security perimeter 26 Physical entry controls 26 Securing offices, rooms and facilities 27 Working in secure areas 27 Isolated delivery and loading areas 28 Equipment security 28 Equipment siting and protection 28 Power supplies 29 Cabling security 29 Equipment maintenance 29 Security of equipment offpremises 30 Secure disposal or reuse of equipment 30 General controls 30 Clear desk and clear screen policy 30 Removal of property 31 8 COMMUNICATIONS AND OPERATIONS MANAGEMENT 32 Operational procedures and responsibilities 32 Documented operating procedures 32 Operational change control 32 Incident management procedures 33 Segregation of duties 33 separation of development and operational facilities 34 External facilities management 34 System planning and acceptance 35 Capacity planning 35 System acceptance 35 Protection against malicious software 36 Controls against malicious software 36 Housekeeping 37 Information backup 37 Operator logs 37 Fault logging 37 Network management 38 Network controls 38 Media handling and security 38 Management of removable puter media 38 Disposal of media 38 Information handling procedure