Table of Contents12 Operations security112.1 Operational procedures and responsibilities112.1.1 Documented operating procedures19. Qun l truyn thng v vn hnh19.1. Cc trch nhim v th tc vn hnh19.1.1. Cc th tc vn hnh c ghi thnh vn bn212.1.2 Change management29.1.2. Qun l thay i312.1.3 Capacity management49.3.1. Qun l nng lc h thng412.1.4 Separation of development, testing and operational environments59.1.4. Phn tch cc chc nng pht trin, kim th v vn hnh612.2 Protection from malware712.2.1 Controls against malware79.4. Bo v chng li m c hi v m di ng89.4.1. Qun l chng li m c hi812.3 Backup1012.3.1 Information backup109.5. Sao lu119.5.1. Sao lu thng tin1112.4 Logging and monitoring1212.4.1 Event logging129.10. Gim st129.10.1. Ghi nht k nh gi1312.4.2 Protection of log information139.10.3. Bo v cc thng tin nht k1412.4.3 Administrator and operator logs149.10.4. Nht k ca ngi iu hnh v ngi qun tr1512.4.4 Clock synchronisation159.10.6. ng b thi gian1612.5 Control of operational software1612.5.1 Installation of software on operational systems1611.4.1. Qun l cc phn mm iu hnh1712.6 Technical vulnerability management1812.6.1 Management of technical vulnerabilities1811.6.1. Qun l cc im yu v k thut2012.6.2 Restrictions on software installation2112.7 Information systems audit considerations2112.7.1 Information systems audit controls2113 Communications security2313.1 Network security management2313.1.1 Network controls2313.1.2 Security of network services2413.1.3 Segregation in networks2410.4.5. Phn tch trn mng2513.2 Information transfer2613.2.1 Information transfer policies and procedures269.8. Trao i thng tin279.8.1. Cc chnh sch v th tc trao i thng tin2713.2.2 Agreements on information transfer2913.2.3 Electronic messaging309.8.4. Thng ip in t31

12 Operations security12.1 Operational procedures and responsibilitiesObjective: To ensure correct and secure operations of information processing facilities.12.1.1 Documented operating proceduresControlOperating procedures should be documented and made available to all users who need them.Implementation guidanceDocumented procedures should be prepared for operational activities associated with informationprocessing and communication facilities, such as computer start-up and close-down procedures, backup, equipment maintenance, media handling, computer room and mail handling management and safety.The operating procedures should specify the operational instructions, including:a) the installation and configuration of systems;b) processing and handling of information both automated and manual;c) backup (see 12.3);d) scheduling requirements, including interdependencies with other systems, earliest job start andlatest job completion times;e) instructions for handling errors or other exceptional conditions, which might arise during jobexecution, including restrictions on the use of system utilities (see 9.4.4);f) support and escalation contacts including external support contacts in the event of unexpectedoperational or technical difficulties;g) special output and media handling instructions, such as the use of special stationery or themanagement of confidential output including procedures for secure disposal of output from failedjobs (see 8.3 and 11.2.7);h) system restart and recovery procedures for use in the event of system failure;i) the management of audit-trail and system log information (see 12.4);j) monitoring procedures.Operating procedures and the documented procedures for system activities should be treated as formal documents and changes authorized by management. Where technically feasible, information systems should be managed consistently, using the same procedures, tools and utilities.9. Qun l truyn thng v vn hnh9.1. Cc trch nhim v th tc vn hnhMc tiu: Nhm m bo s vn hnh cc phng tin x l thng tin ng n v an ton.Cn thit lp cc trch nhim v th tc qun l v vn hnh cho tt c cc phng tin x l thng tin. Bao gm c vic xy dng cc th tc vn hnh ph hp.Nu ph hp th cn trin khai phn nh cc nhim v nhm gim ri ro do s dng cu th hoc lm dng h thng mt cch c ch .

9.1.1. Cc th tc vn hnh c ghi thnh vn bnBin php qun lCc th tc vn hnh cn c ghi thnh vn bn, duy tr, v lun sn sng i vi mi ngi cn dng n.Hng dn trin khaiCn chun b cc vn bn th tc cho cc hot ng h thng c lin quan n cc thit b trao i v x l thng tin, v d cc th tc khi ng v tt my tnh, sao lu, bo dng thit b, iu khin thit b, qun l phng my tnh v x l th t, v vn an ton.Cc th tc vn hnh cn a ra cc hng dn thc hin chi tit tng cng vic gm:a) x l v qun l thng tinb) sao lu (xem 9.5.1);c) cc yu cu v thi gian biu, bao hm c s ph thuc vi cc h thng khc, cc thi im bt u cng vic sm nht v cc thi im kt thc cng vic mun nht;d) cc hng dn x l cc s c hoc cc iu kin ngoi l khc, nhng vn ny c th xut hin trong khi thc hin cng vic, bao gm c cc gii hn s dng cc tin ch ca h thng (xem 10.5.4);e) h tr lin lc trong cc trng hp c tr ngi khng mong mun v vn hnh hoc k thut;f) cc hng dn x l thit b v d liu u ra c bit, nh s dng dng vn phng c bit hoc qun l d liu u ra bo mt bao gm cc th tc loi b mt cch an ton d liu u ra t cc cng vic b li (xem 9.7.2 v 9.7.3);g) cc th tc khi ng v khi phc h thng trong trng hp c li h thng;h) qun l truy vt v thng tin nht k ca h thng (xem 9.10).Cc th tc khai thc v cc vn bn th tc cho cc hot ng ca h thng cn c coi nh cc vn bn chnh thc v c cp php thay i bi ban qun l. Nu iu kin k thut cho php th cc h thng thng tin cn c qun l lin tc bng cc th tc, cng c v cc tin ch nht qun.12.1.2 Change managementControlChanges to the organization, business processes, information processing facilities and systems thataffect information security should be controlled.Implementation guidanceIn particular, the following items should be considered:a) identification and recording of significant changes;b) planning and testing of changes;c) assessment of the potential impacts, including information security impacts, of such changes;d) formal approval procedure for proposed changes;e) verification that information security requirements have been met;f) communication of change details to all relevant persons;g) fall-back procedures, including procedures and responsibilities for aborting and recovering fromunsuccessful changes and unforeseen events;h) provision of an emergency change process to enable quick and controlled implementation of changesneeded to resolve an incident (see 16.1).Formal management responsibilities and procedures should be in place to ensure satisfactory control ofall changes. When changes are made, an audit log containing all relevant information should be retained.Other informationInadequate control of changes to information processing facilities and systems is a common cause of system or security failures. Changes to the operational environment, especially when transferring a system from development to operational stage, can impact on the reliability of applications (see 14.2.2).9.1.2. Qun l thay i Bin php qun lCc thay i trong cc phng tin v h thng x l thng tin phi c kim sot.Hng dn trin khaiCn qun l cht ch cc thay i i vi phn mm ng dng v cc h thng vn hnh.C th l, nhng vn sau cn c quan tm:a) Xc nh v ghi li nhng thay i quan trng;b) Lp k hoch v kim tra nhng thay i;c) nh gi nhng nh hng tim n, bao gm nhng nh hng v an ton ca nhng thay i ;d) Th tc chp nhn chnh thc i vi nhng thay i c pht hin;e) Thng bo chi tit v cc thay i cho tt c nhng ngi lin quan;f) Cc th tc phc hi li h thng trc thay i, bao gm cc th tc v trch nhim i vi vic hy b v khi phc d liu t nhng thay i khng thnh cng v cc s kin bt ng xy ra.Cc th tc v trch nhim qun l chnh thc cn c t ra nhm m bo qun l tha ng tt c nhng thay i i vi thit b, phn mm hoc cc th tc. Khi nhng thay i c thc hin th cn lu li nht k nh gi cha tt c cc thng tin lin quan.Thng tin khcVic qun l nhng thay i ca cc phng tin x l thng tin khng thch hp l nguyn nhn ph bin dn n cc s c i vi h thng v an ton thng tin. Nhng thay i v mi trng khai thc, c bit l khi chuyn mt h thng t giai on pht trin sang giai on khai thc, c th nh hng n tin cy ca cc ng dng (xem thm 11.5.1).Ch c thc thi nhng thay i i vi cc h iu hnh khi c l do nghip v hp l, chng hn khi c s gia tng ri ro i vi h thng. Vic nng cp cc h thng bng cc phin bn h iu hnh hoc ng dng mi nht thng khng hay c quan tm v c th gy ra nhng nguy him v s mt n nh hn so vi phin bn hin ti. Vic nng cp cc phin bn phn mm c th cng lm pht sinh thm cc yu cu v o to, cc chi ph cho vic ng k, chi ph cho h tr, duy tr v qun l, v c bit l phn cng mi trong qu trnh chuyn phin bn.12.1.3 Capacity managementControlThe use of resources should be monitored, tuned and projections made of future capacity requirementsto ensure the required system performance.Implementation guidanceCapacity requirements should be identified, taking into account the business criticality of the concernedsystem. System tuning and monitoring should be applied to ensure and, where necessary, improve theavailability and efficiency of systems. Detective controls should be put in place to indicate problems indue time. Projections of future capacity requirements should take account of new business and systemrequirements and current and projected trends in the organizations information processing capabilities.Particular attention needs to be paid to any resources with long procurement lead times or high costs;therefore managers should monitor the utilization of key system resources. They should identify trendsin usage, particularly in relation to business applications or information systems management tools.Managers should use this information to identify and avoid potential bottlenecks and dependence onkey personnel that might present a threat to system security or services, and plan appropriate action.Providing sufficient capacity can be achieved by increasing capacity or by reducing demand. Examplesof managing capacity demand include:a) deletion of obsolete data (disk space);b) decommissioning of applications, systems, databases or environments;c) optimising batch processes and schedules;d) optimising application logic or database queries;e) denying or restricting bandwidth for resource-hungry services if these are not business critical (e.g.video streaming).A documented capacity management plan should be considered for mission critical systems.Other informationThis control also addresses the capacity of the human resources, as well as offices and facilities.9.3.1. Qun l nng lc h thngBin php qun lVic s dng ti nguyn phi c gim st, iu chnh v c d on cc yu cu v nng lc h thng trong tng lai nhm m bo hiu sut theo yu cu.Hng dn trin khaiCn xc nh cc yu cu v nng lc cho tng hot ng mi v sp ti. Cn gim st v iu chnh h thng nhm m bo v, nu cn thit, nng cao sn sng v hiu qu ca cc h thng, cn thc thi cc bin php qun l d tm nhm ch ra cc vn ng lc. Cc k hoch thc thi cc yu cu nng lc trong tng lai cn quan tm n cc yu cu h thng v nghip v mi v cc xu hng hin ti v c d on v cc nng lc x l thng tin ca t chc.Cn c bit lu n cc ngun ti nguyn c chi ph cao; nhng ngi qun l cn gim st vic s dng cc ngun ti nguyn h thng quan trng. H cn xc nh nhng xu hng s dng, c bit trong mi quan h vi cc ng dng nghip v hoc cc cng c h thng thng tin qun l.Nhng ngi qun l cn s dng thng tin ny nhm xc nh v phng trnh hin tng nt c chai tim n v trnh ph thuc vo mt c nhn ch cht v iu c th e da n s an ton h thng hoc cc dch v, v ln k hoch hnh ng ph hp.12.1.4 Separation of development, testing and operational environmentsControlDevelopment, testing, and operational environments should be separated to reduce the risks ofunauthorized access or changes to the operational environment.Implementation guidanceThe level of separation between operational, testing, and development environments that is necessaryto prevent operational problems should be identified and implemented.The following items should be considered:a) rules for the transfer of software from development to operational status should be defined anddocumented;b) development and operational software should run on different systems or computer processors and in different domains or directories;c) changes to operational systems and applications should be tested in a testing or staging environment prior to being applied to operational systems;d) other than in exceptional circumstances, testing should not be done on operational systems;e) compilers, editors and other development tools or system utilities should not be accessible fromoperational systems when not required;f) users should use different user profiles for operational and testing systems, and menus shoulddisplay appropriate identification messages to reduce the risk of error;g) sensitive data should not be copied into the testing system environment unless equivalent controls are provided for the testing system (see 14.3).Other informationDevelopment and testing activities can cause serious problems, e.g. unwanted modification of files or system environment or system failure. There is a need to maintain a known and stable environment in which to perform meaningful testing and to prevent inappropriate developer access to the operational environment.Where development and testing personnel have access to the operational system and its information, they may be able to introduce unauthorized and untested code or alter operational data. On some systems this capability could be misused to commit fraud or introduce untested or malicious code, which can cause serious operational problems.Development and testing personnel also pose a threat to the confidentiality of operational information.Development and testing activities may cause unintended changes to software or information if they share the same computing environment. Separating development, testing and operational environments is therefore desirable to reduce the risk of accidental change or unauthorized access to operational software and business data (see 14.3 for the protection of test data).9.1.4. Phn tch cc chc nng pht trin, kim th v vn hnhBin php qun lCc chc nng pht trin, kim th v vn hnh cn c phn tch nhm gim thiu cc ri ro do truy cp hoc thay i h thng vn hnh tri php.Hng dn trin khaiCn xc nh mc phn tch gia cc mi trng vn hnh, kim th v pht trin cn cho vic phng chng cc s c v vn hnh v thc thi cc bin php qun l thch hp.Cn quan tm n cc vn sau:a) cc quy tc chuyn i phn mm t trng thi pht trin sang khai thc cn c xc nh v lp thnh vn bn;b) phn mm pht trin v vn hnh cn chy trn cc h thng hoc cc b x l my tnh khc nhau v nm trong cc th mc hoc min khc nhau;c) nu khng c yu cu th t cc h thng vn hnh khng th truy cp c vo cc trnh bin dch, trnh bin son v cc tin ch h thng;d) mi trng h thng th nghim cn m phng mi trng khai thc gn nht n mc c th;e) ngi dng cn s dng cc h s ngi dng khc nhau cho cc h thng th nghim v vn hnh, v cc ty chn trong h s cng cn hin th cc thng tin nhn dng ph hp nhm gim ri ro mc li;f) Khng c sao chp d liu nhy cm vo mi trng h thng th nghim (xem 11.4.2) Thng tin khcCc hot ng pht trin v th nghim c th gy ra cc vn nghim trng, v d lm sa i khng mong mun cc tp hoc mi trng h thng, hoc gy ra s c h thng. Trong trng hp ny, cn duy tr mt mi trng n nh c th thc hin th nghim theo mc ch v ngn chn truy cp khng ph hp.Khi nhn vin pht trin v nhn vin th nghim truy cp vo h thng vn hnh v cc thng tin ca n th h c kh nng a vo m tri php v cha c kim tra hoc lm thay i d liu hot ng. mt s h thng, kh nng ny c th b li dng nhm gian ln, hoc a vo m cha c kim tra hoc c hi, v gy ra cc s c nghim trng.Cc nhn vin pht trin v th nghim cng c th e da ti tnh b mt ca thng tin vn hnh. Cc hot ng th nghim v pht trin c th gy ra nhng thay i khng nh trc i vi phn mm hoc thng tin nu h cng chia s mi trng hot ng my tnh. Vic phn tch cc thit b h tr pht trin, th nghim v vn hnh do vy rt cn thit trong vic gim ri ro do v tnh thay i hoc truy cp tri php ti phn mm khai thc v d liu nghip v (xem thm 11.4.2 v vn bo v d liu kim tra).12.2 Protection from malwareObjective: To ensure that information and information processing facilities are protected againstmalware.12.2.1 Controls against malwareControlDetection, prevention and recovery controls to protect against malware should be implemented,combined with appropriate user awareness.Implementation guidanceProtection against malware should be based on malware detection and repair software, information security awareness and appropriate system access and change management controls. The following guidance should be considered:a) establishing a formal policy prohibiting the use of unauthorized software (see 12.6.2 and 14.2.);b) implementing controls that prevent or detect the use of unauthorized software (e.g. applicationwhitelisting);c) implementing controls that prevent or detect the use of known or suspected malicious websites (e.g. blacklisting);d) establishing a formal policy to protect against risks associated with obtaining files and softwareeither from or via external networks or on any other medium, indicating what protective measuresshould be taken;e) reducing vulnerabilities that could be exploited by malware, e.g. through technical vulnerabilitymanagement (see 12.6);f) conducting regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated;g) installation and regular update of malware detection and repair software to scan computers andmedia as a precautionary control, or on a routine basis; the scan carried out should include:1) scan any files received over networks or via any form of storage medium, for malware before use;2) scan electronic mail attachments and downloads for malware before use; this scan should becarried out at different places, e.g. at electronic mail servers, desk top computers and whenentering the network of the organization;3) scan web pages for malware;h) defining procedures and responsibilities to deal with malware protection on systems, training intheir use, reporting and recovering from malware attacks;i) preparing appropriate business continuity plans for recovering from malware attacks, including all necessary data and software backup and recovery arrangements (see 12.3);j) implementing procedures to regularly collect information, such as subscribing to mailing lists orverifying websites giving information about new malware;k) implementing procedures to verify information relating to malware, and ensure that warningbulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputablejournals, reliable Internet sites or suppliers producing software protecting against malware, areused to differentiate between hoaxes and real malware; all users should be made aware of theproblem of hoaxes and what to do on receipt of them;l) isolating environments where catastrophic impacts may result.Other informationThe use of two or more software products protecting against malware across the information processingenvironment from different vendors and technology can improve the effectiveness of malware protection.Care should be taken to protect against the introduction of malware during maintenance and emergencyprocedures, which may bypass normal malware protection controls.Under certain conditions, malware protection might cause disturbance within operations.Use of malware detection and repair software alone as a malware control is not usually adequate and commonly needs to be accompanied by operating procedures that prevent introduction of malware.9.4. Bo v chng li m c hi v m di ngMc tiu: Nhm bo v tnh ton vn ca thng tin v phn mm.Cn c nhng phng nhm ngn nga v pht hin s c mt ca m c hi v m di ng tri php.Phn mm v cc phng tin x l thng tin l cc i tng rt d b tn ti bi m c, v d cc loi virut my tnh, su mng, nga trojan, v bom my tnh. Ngi ng cn c nhn thc v nhng: mi nguy him t m c hi. Nu thch hp th ngi qun l cn a ra cc bin php qun l nhm ngn chn, pht hin, loi b m c hi v x l m di ng.

9.4.1. Qun l chng li m c hiBin php qun lCc bin php qun l trong vic pht hin, ngn chn, v phc hi nhm chng li cc on m c hi v cc th tc tuyn truyn nng cao nhn thc ca ngi dng phi c thc hin.Hng dn trin khaiBo v chng li m c hi cn da trn c s pht hin m c hi v sa cha phn mm, nng cao nhn thc v an ton thng tin, v cc bin php qun l thay i v truy cp h thng ph hp. Cn quan tm n nhng hng dn sau:a) thit lp mt chnh sch chnh thc ngn cm s dng phn mm tri php (xem 14.1.2);b) thit lp mt chnh sch chnh thc nhm bo v chng li cc ri ro lin quan n vic s dng cc tp v phn mm n t hoc i qua cc mng bn ngoi, hoc bt k mt mi trng no khc, ch ra cc bin php bo v cn thc hin;c) ch o cc cuc sot xt thng xuyn phn mm v cc ni dung d liu ca cc h thng h tr cc qu trnh nghip v then cht; cn chnh thc iu tra s xut hin ca cc tp cha c chp nhn hoc cc b sung tri php;d) ci t v thng xuyn cp nht phn mm khc phc v pht hin m c hi qut my tnh v cc phng tin vi vai tr nh mt bin php phng nga; cc cuc kim tra cn bao gm:1) trc khi s dng cn kim tra m c hi i vi tt c cc tp trn thit b in t hoc quang hc, v cc tp nhn c trn mng;2) trc khi s dng cn kim tra m c hi i vi cc tp nh km trn th in t v cc tp ti c trn mng; vic kim tra ny cn c thc hin ti cc ni khc nhau, v d ti c cc my ch th in t, cc my tnh bn v c khi xm nhp vo mng ca t chc;3) kim tra m c hi trong cc trang mng;e) xc nh cc th tc v trch nhim qun l trong vic bo v chng li m c hi trn cc h thng, o to s dng cc th tc ny, bo co v khi phc h thng trc s tn cng ca m c hi (xem 12.1 v 12.2);f) chun b cc k hoch m bo s lin tc v nghip v cho vic khi phc sau nhng tn cng ca m c hi, bao gm ton b nhng chun b khi phc v sao lu phn mm v d liu cn thit (xem 13);g) trin khai cc th tc nhm thng xuyn thu thp thng tin, v d ng k vo danh sch th in t v/hoc kim tra cc a ch mng cho thng tin v cc loi m c hi mi;h) trin khai cc th tc xc thc thng tin lin quan n m c hi v m bo rng cc bn tin cnh bo l chnh xc v cung cp c nhiu thng tin; nhng ngi qun l cn m bo c cc ngun tin cy, v d cc t bo c ting tm, cc a ch internet hoc cc nh sn xut phn mm chng m c hi ng tin cy, c s dng nhm phn bit gia cc tr la o v m c hi thc s; tt c nhng ngi dng cn c trang b kin thc v nhng tr la o v nhng vic phi lm khi nhn c chng Thng tin khcS dng hai hoc nhiu sn phm phn mm chng m c hi ca nhiu nh cung cp khc nhau trong mi trng x l thng tin c th nng cao hiu qu phng chng m c.Phn mm gip bo v chng li m c hi c th c ci t nhm cung cp cc ni dung cp nht ca cc tp nh ngha v cc cng c qut nhm chc chn rng vic bo v c cp nht. Hn na, phn mm ny c th c ci t trn mi my tnh bn nhm thc hin kim tra t ng.Cn quan tm n vic bo v chng li s xm nhp ca m c hi trong cc th tc bo dng v khn cp, do chng c th b b qua khi s dng cc bin php chng m c hi thun ty.9.4.2. Kim sot cc m di ngBin php qun li vi cc m di ng hp l, vic ci t phi m bo ph hp vi cc chnh sch an ton c t ra. Ngc li, cc on m di ng tri php s b ngn chn.Hng dn trin khaiCn quan tm n cc hot ng sau nhm ngn chn m di ng thc hin cc hot ng cha c cp php:a) thc thi m di ng trong mt mi trng c c lp v mt logic;b) hn ch s dng m di ng;c) hn ch nhn m di ng;d) kch hot cc bin php k thut sn sng trn mt h thng chuyn dng nhm qun l m di ng;e) qun l cc ngun ti nguyn sn sng cho truy cp m di ng;f) qun l bng mt m nhm xc thc m di ng.Thng tin khcM di ng l mt m phn mm truyn t my tnh ny sang my tnh khc v sau t ng thc hin mt chc nng no m khng c tng tc ngi dng hoc ch c mt t. M di ng lin quan n rt nhiu dch v phn mm trung gian.Bn cnh vic m bo m di ng khng cha m c hi th vic qun l m c hi cng rt cn thit nhm ngn nga s dng tri php hoc lm ph v h thng, mng, hoc cc ngun ti nguyn ng dng v cc vi phm an ton thng tin khc.

12.3 BackupObjective: To protect against loss of data.12.3.1 Information backupControlBackup copies of information, software and system images should be taken and tested regularly inaccordance with an agreed backup policy.Implementation guidanceA backup policy should be established to define the organizations requirements for backup ofinformation, software and systems.The backup policy should define the retention and protection requirements.Adequate backup facilities should be provided to ensure that all essential information and software canbe recovered following a disaster or media failure.When designing a backup plan, the following items should be taken into consideration:a) accurate and complete records of the backup copies and documented restoration proceduresshould be produced;b) the extent (e.g. full or differential backup) and frequency of backups should reflect the businessrequirements of the organization, the security requirements of the information involved and thecriticality of the information to the continued operation of the organization;c) the backups should be stored in a remote location, at a sufficient distance to escape any damagefrom a disaster at the main site;d) backup information should be given an appropriate level of physical and environmental protection(see Clause 11) consistent with the standards applied at the main site;e) backup media should be regularly tested to ensure that they can be relied upon for emergency usewhen necessary; this should be combined with a test of the restoration procedures and checkedagainst the restoration time required. Testing the ability to restore backed-up data should beperformed onto dedicated test media, not by overwriting the original media in case the backup orrestoration process fails and causes irreparable data damage or loss;f) in situations where confidentiality is of importance, backups should be protected by means of encryption.Operational procedures should monitor the execution of backups and address failures of scheduledbackups to ensure completeness of backups according to the backup policy.Backup arrangements for individual systems and services should be regularly tested to ensure thatthey meet the requirements of business continuity plans. In the case of critical systems and services,backup arrangements should cover all systems information, applications and data necessary to recoverthe complete system in the event of a disaster.The retention period for essential business information should be determined, taking into account any requirement for archive copies to be permanently retained.

9.5. Sao luMc tiu: Nhm duy tr s ton vn v s sn sng ca thng tin v cc phng tin x l thng tin.Cn thit lp cc th tc thng xuyn nhm thc hin chin lc v chnh sch sao lu c tha thun (xem 13.1) trong vic sao lu v kp thi khi phc d liu.

9.5.1. Sao lu thng tinBin php qun lThng tin v phn mm cn c sao lu v thng xuyn kim tra li chng theo chnh sch sao lu c tha thun.Hng dn trin khaiCn cung cp cc phng tin sao lu thch hp nhm m bo rng tt c cc thng tin v phn mm cn thit c th c khi phc li sau thm ha hoc li hng thit b.Cn quan tm n cc vn sau trong vic sao lu thng tin:a) cn xc nh mc cn thit ca thng tin sao lu;b) cn a ra cc bn sao lu y v chnh xc v cc vn bn v th tc khi phc;c) phm vi (v d sao lu y hoc tng phn) v tn sut sao lu cn th hin cc yu cu nghip v ca t chc, cc yu cu v an ton thng tin c lin quan, v quan trng ca thng tin trong vic m bo tnh lin tc v nghip v ca t chc;d) cc bn sao cn c lu gi mt v tr xa, vi khong cch ph hp nhm trnh nhng thit hi do thm ha ti tr s chnh.e) thng tin sao chp cn c t mc bo v vt l v mi trng ph hp (xem iu 8) tun th cc tiu chun c p dng ti tr s chnh; cc bin php qun l c p dng i vi thit b ti tr s chnh cng cn c thc hin ti ni cha bn sao lu;f) thit b sao chp cn c kim tra nh k nhm m bo rng chng c th tin cy trong iu kin s dng khn cp;g) cc th tc khi phc thng tin cn c xem xt v kim tra nh k nhm m bo chng hot ng hiu qu v chng c th c thc hin y trong khong thi gian c xc nh trong cc th tc khai thc v khi phc;h) Trong cc trng hp khi tnh b mt l mt yu cu quan trng th cc bn sao cn c bo v bng cc hnh thc m ha.Cc th tc sao lu dnh cho cc h thng ring cn c kim tra thng xuyn nhm m bo rng chng p ng c cc yu cu ca cc k hoch m bo tnh lin tc v nghip v (xem iu 13). i vi cc h thng quan trng th cn thc hin sao lu tt c thng tin. cc ng dng, d liu cn thit ca h thng nhm c th phc hi c ton b h thng trong trng hp c thm ha xy ra.Thi gian lu tr cc thng tin nghip v cn thit v cc yu cu lu tr bn sao lu di cng cn c xc nh (xem 14.1.3).Thng tin khcC th thc hin sao lu t ng nhm lm d dng quy trnh sao lu v khi phc. Cc gii php t ng nh vy cn c kim tra ph hp trc khi trin khai v vo cc thi im nh k.12.4 Logging and monitoringObjective: To record events and generate evidence.12.4.1 Event loggingControlEvent logs recording user activities, exceptions, faults and information security events should beproduced, kept and regularly reviewed.Implementation guidanceEvent logs should include, when relevant:a) user IDs;b) system activities;c) dates, times and details of key events, e.g. log-on and log-off;d) device identity or location if possible and system identifier;e) records of successful and rejected system access attempts;f) records of successful and rejected data and other resource access attempts;g) changes to system configuration;h) use of privileges;i) use of system utilities and applications;j) files accessed and the kind of access;k) network addresses and protocols;l) alarms raised by the access control system;m) activation and de-activation of protection systems, such as anti-virus systems and intrusiondetection systems;n) records of transactions executed by users in applications.Event logging sets the foundation for automated monitoring systems which are capable of generatingconsolidated reports and alerts on system security.Other informationEvent logs can contain sensitive data and personally identifiable information. Appropriate privacyprotection measures should be taken (see 18.1.4).Where possible, system administrators should not have permission to erase or de-activate logs of their own activities (see 12.4.3).9.10. Gim stMc tiu: Nhm pht hin cc hot ng x l thng tin tri phpCn gim st cc h thng v ghi li cc s kin lin quan n an ton thng tin. Cc nht k ca ngi iu hnh v nht k li c th c s dng nhm m bo nhn bit c tt c cc vn v h thng thng tin.T chc cn tun th tt c cc yu cu php l lin quan trong cc hot ng gim st v ghi nht k.Gim st h thng cng cn c s dng nhm kim tra tnh hiu qu ca cc bin php qun l c p dng v kim chng s ph hp vi mt m hnh chnh sch truy cp.

9.10.1. Ghi nht k nh giBin php qun lVic ghi li tt c cc hot ng ca ngi dng, cc li ngoi l v cc s kin an ton thng tin cn phi c thc hin v duy tr trong mt khong thi gian theo tha thun nhm tr gip vic iu tra v gim st iu khin truy cp sau ny.Hng dn trin khaiCc nht k nh gi cn bao gm:a) cc ID ca ngi dng;b) ngy thng, thi gian, v cc chi tit v cc s kin quan trng, v d ng nhp v thot ra;c) v tr hoc nhn dng cui cng nu c th;d) cc bo co v nhng truy cp thnh cng v b t chi;e) cc bo co v d liu truy cp thnh cng v b t chi v nhng ln truy cp cc ngun ti nguyn khc;f) nhng thay i v cu hnh h thng;g) s dng c quyn;h) s dng cc ng dng v cc tin ch h thng;i) cc tp c truy cp v loi truy cp; j) cc a ch v giao thc mng;k) cc cnh bo t h thng iu khin truy cp;l) vic kch hot v gii kch hot cc h thng bo v, v d nh cc h thng chng virut v cc h thng pht hin xm nhp.Thng tin khcCc nht k nh gi c th cha d liu c nhn b mt. Cn thc hin cc bin php bo v ring ph hp (xem thm 14.1.4). Nu c th th nhng ngi qun tr h thng khng c php xa b hoc gii kch hot cc nht k v cc hot ng ring ca h (xem 9.1.3).12.4.2 Protection of log informationControlLogging facilities and log information should be protected against tampering and unauthorized access.Implementation guidanceControls should aim to protect against unauthorized changes to log information and operationalproblems with the logging facility including:a) alterations to the message types that are recorded;b) log files being edited or deleted;c) storage capacity of the log file media being exceeded, resulting in either the failure to record eventsor over-writing of past recorded events.Some audit logs may be required to be archived as part of the record retention policy or because ofrequirements to collect and retain evidence (see 16.1.7).Other informationSystem logs often contain a large volume of information, much of which is extraneous to informationsecurity monitoring. To help identify significant events for information security monitoring purposes,the copying of appropriate message types automatically to a second log, or the use of suitable systemutilities or audit tools to perform file interrogation and rationalization should be considered.System logs need to be protected, because if the data can be modified or data in them deleted, theirexistence may create a false sense of security. Real-time copying of logs to a system outside the control of a system administrator or operator can be used to safeguard logs.9.10.3. Bo v cc thng tin nht kBin php qun lCc chc nng ghi nht k v thng tin nht k cn c bo v khi s gi mo v truy cp tri php. Hng dn trin khaiCc bin php cn hng ti vic bo v khi nhng thay i tri php v cc vn v s dng chc nng ghi nht k, bao gm:a) nhng thay i i vi cc loi thng ip c ghi li;b) cc tp nht k b chnh sa hoc xa b;c) dung lng lu tr ca phng tin ghi nht k ang b vt, dn n li i vi cc s kin ghi c hoc ghi ln cc s kin ghi trc y.Mt s nht k nh gi c th c yu cu nh mt phn ca chnh sch lu gi cc bo co hoc do cc yu cu phi thu thp v lu gi chng c (xem thm 12.2.3).Thng tin khcCc nht k h thng thng cha mt lng ln thng tin, phn ln trong s chng li khng lin quan n vic gim st an ton. d dng nhn din cc s kin quan trng cho cc mc ch gim st an ton th cn quan tm n vic t ng sao chp li cc loi thng ip ph hp vo mt nht k th hai, v/hoc s dng cc tin ch h thng ph hp hoc cc cng c nh gi nhm thc hin iu tra v hp l ha tp.Cc nht k h thng cn c bo v, v nu d liu c th b sa i hoc d liu trong nht k b xa b th s tn ti ca chng c th gy ra li an ton thng tin.12.4.3 Administrator and operator logsControlSystem administrator and system operator activities should be logged and the logs protected andregularly reviewed.Implementation guidancePrivileged user account holders may be able to manipulate the logs on information processingfacilities under their direct control, therefore it is necessary to protect and review the logs to maintainaccountability for the privileged users.Other informationAn intrusion detection system managed outside of the control of system and network administratorscan be used to monitor system and network administration activities for compliance.9.10.4. Nht k ca ngi iu hnh v ngi qun trBin phpCc hot ng ca ngi qun tr v ngi iu hnh h thng cn c ghi vo nht k.Hng dn trin khaiCc nht k cn bao gm cc thng tin sau:a) thi gian xy ra s kin (d thnh cng hay tht bi);b) thng tin v s kin (v d cc tp c x l) hoc s c (v d li xy ra v hot ng sa li c thc hin);c) ti khon no v ngi qun tr hoc ngi iu hnh no tham gia;d) cc hot ng no c thc hin.Cn thng xuyn sot xt li cc nht k ca ngi iu hnh v qun tr h thng.Thng tin khcBn cnh vic kim sot nhng ngi qun tr v iu hnh, c th s dng thm h thng pht hin xm nhp nhm gim st h thng v cc hot ng qun tr mng cn tun th.12.4.4 Clock synchronisationControlThe clocks of all relevant information processing systems within an organization or security domainshould be synchronised to a single reference time source.Implementation guidanceExternal and internal requirements for time representation, synchronisation and accuracy shouldbe documented. Such requirements can be legal, regulatory, contractual requirements, standardscompliance or requirements for internal monitoring. A standard reference time for use within theorganization should be defined.The organizations approach to obtaining a reference time from external source(s) and how to synchroniseinternal clocks reliably should be documented and implemented.Other informationThe correct setting of computer clocks is important to ensure the accuracy of audit logs, which maybe required for investigations or as evidence in legal or disciplinary cases. Inaccurate audit logs may hinder such investigations and damage the credibility of such evidence. A clock linked to a radio time broadcast from a national atomic clock can be used as the master clock for logging systems. A network time protocol can be used to keep all of the servers in synchronisation with the master clock.9.10.6. ng b thi gianBin php qun lng h trn cc h thng x l thng tin trong t chc hoc trong mt phm vi an ton cn c ng b vi mt ngun thi gian chnh xc c ng la chn.Hng dn trin khaiNu mt my tnh hoc thit b truyn thng c kh nng iu khin mt ng h thi gian thc th ng h ny cn c t v mt chun theo tha thun, v d UTC hoc thi gian chun ni b. V mt s ng h thng b tri thi gian nn cn c th tc kim tra v hiu chnh ng h.Cch hin th nh dng ngy/gi rt quan trng trong vic m bo phn nh ng thi gian thc, cn lu cc c im c tnh cht a phng (nh thay i gi theo ma...).Thng tin khct cc ng h my tnh mt cch chnh xc l vn quan trng nhm m bo tnh chnh xc ca cc nht k nh gi, cc nht k nh gi ny c th cn cho vic iu tra hoc l bng chng trong cc trng hp vi phm php lut hoc k lut. Cc nht k nh gi khng chnh xc c th gy tr ngi cho cc cuc iu tra v lm nh hng n tin cy ca cc bng chng. ng h c lin kt n mt chng trnh pht thanh v tuyn t mt ng h nguyn t quc gia c th c s dng nh ng h ch i vi cc h thng ghi nht k. C th s dng mt giao thc thi gian mng gi cho tt c cc ng h t u ng b vi ng h ch.12.5 Control of operational softwareObjective: To ensure the integrity of operational systems.12.5.1 Installation of software on operational systemsControlProcedures should be implemented to control the installation of software on operational systems.Implementation guidanceThe following guidelines should be considered to control changes of software on operational systems:a) the updating of the operational software, applications and program libraries should only beperformed by trained administrators upon appropriate management authorization (see 9.4.5);b) operational systems should only hold approved executable code and not development code or compilers;c) applications and operating system software should only be implemented after extensive andsuccessful testing; the tests should cover usability, security, effects on other systems and userfriendlinessand should be carried out on separate systems (see 12.1.4); it should be ensured that allcorresponding program source libraries have been updated;d) a configuration control system should be used to keep control of all implemented software as wellas the system documentation;e) a rollback strategy should be in place before changes are implemented;f) an audit log should be maintained of all updates to operational program libraries;g) previous versions of application software should be retained as a contingency measure;h) old versions of software should be archived, together with all required information and parameters, procedures, configuration details and supporting software for as long as the data are retained in archive.Vendor supplied software used in operational systems should be maintained at a level supported by the supplier. Over time, software vendors will cease to support older versions of software. The organization should consider the risks of relying on unsupported software.Any decision to upgrade to a new release should take into account the business requirements for the change and the security of the release, e.g. the introduction of new information security functionalityor the number and severity of information security problems affecting this version. Software patches should be applied when they can help to remove or reduce information security weaknesses (see 12.6).Physical or logical access should only be given to suppliers for support purposes when necessary and with management approval. The suppliers activities should be monitored (see 15.2.1).Computer software may rely on externally supplied software and modules, which should be monitored and controlled to avoid unauthorized changes, which could introduce security weaknesses.11.4.1. Qun l cc phn mm iu hnhBin php qun lCn phi c cc th tc sn sng cho vic qun l qu trnh ci t cc phn mm trn h thng vn hnh.Hng dn trin khai gim thiu ri ro do sa i cc h thng vn hnh, cc hng dn sau y cn c quan tm trong vic qun l cc thay i:a) vic cp nht phn mm iu hnh, cc ng dng v cc th vin chng trnh ch c thc hin bi nhng nhn vin qun tr c o to theo quyn hn qun l ph hp (xem 11.4.3);b) cc h thng vn hnh ch c gi m thi hnh c chp nhn, v khng c gi m pht trin hoc cc trnh bin dch;c) cc ng dng v phn mm h thng iu hnh ch c trin khai sau khi kim tra m rng v thnh cng; vic kim tra bao gm cc kim tra v tnh tin dng, tnh an ton, cc tc ng ln cc h thng khc v s thn thin vi ngi dng, v cn c thc hin trn cc h thng ring bit (xem thm 9.1.4); cng cn m bo rng tt c cc th vin ngun chng trnh u c cp nht;d) mt h thng qun l cu hnh cn c s dng qun l tt c phn mm c trin khai cng nh ti liu h thng;e) chin lc hon tr cn c thc hin trc khi trin khai cc thay i;f) nht k nh gi cn c duy tr i vi mi cp nht v cc th vin chng trnh iu hnh;g) cc phin bn trc y ca phn mm ng dng cn c gi ti vi vai tr l mt bin php phng nga bt trc;h) cc phin bn c ca phn mm cng cn c lu li cng vi tt c thng tin v tham s, cc th tc, cu hnh chi tit, v phn mm h tr c yu cu min sao d liu vn c lu li.Phn mm do nh cung cp h tr c s dng trong cc h thng vn hnh cn c duy tr ti mt mc c h tr bi nh cung cp . Qua thi gian, cc nh cung cp phn mm s ngng h tr cc phin bn phn mm c. T chc cn quan tm ti cc ri ro do phi s dng phn mm khng c h tr.Cc quyt nh nng cp ln phin bn mi u phi xem xt cc yu cu nghip v i vi s thay i , v tnh an ton ca phin bn, tc l phi quan tm n cc tnh nng an ton mi hoc s lng v mc nghim trng ca cc vn an ton nh hng n phin bn ny. Cc bn v phn mm cng cn c p dng nu chng c th gip loi b hoc gim cc im yu an ton (xem thm 11.6.1).Truy cp vt l v logic ch c cp php cho cc nh cung cp vi cc mc ch h tr khi cn thit, v phi c s chp thun ca ban qun l. Cc hot ng ca nh cung cp cn c gim st.Phn mm my tnh c th da trn modun v phn mm c cung cp t bn ngoi, chng cn c gim st v qun l ngn chn cc thay i tri php gy ra cc im yu v an ton thng tin.Thng tin khcH iu hnh ch c nng cp khi c yu cu, v d, khi phin bn hin ti ca h iu hnh khng th tip tc h tr cc yu cu nghip v. Khng c thc hin cc nng cp ch v c phin bn mi ca h iu hnh. Cc phin bn mi ca h iu hnh phin bn c th km an ton, t n nh v t c hiu r hn h thng hin ti.12.6 Technical vulnerability managementObjective: To prevent exploitation of technical vulnerabilities.12.6.1 Management of technical vulnerabilitiesControlInformation about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organizations exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.Implementation guidanceA current and complete inventory of assets (see Clause 8) is a prerequisite for effective technicalvulnerability management. Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within the organization responsible for the software.Appropriate and timely action should be taken in response to the identification of potential technical vulnerabilities. The following guidance should be followed to establish an effective management process for technical vulnerabilities:a) the organization should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking and any coordination responsibilities required;b) information resources that will be used to identify relevant technical vulnerabilities and to maintain awareness about them should be identified for software and other technology (based on the asset inventory list, see 8.1.1); these information resources should be updated based on changes in theinventory or when other new or useful resources are found;c) a timeline should be defined to react to notifications of potentially relevant technical vulnerabilities;d) once a potential technical vulnerability has been identified, the organization should identify theassociated risks and the actions to be taken; such action could involve patching of vulnerablesystems or applying other controls;e) depending on how urgently a technical vulnerability needs to be addressed, the action taken shouldbe carried out according to the controls related to change management (see 12.1.2) or by followinginformation security incident response procedures (see 16.1.5);f) if a patch is available from a legitimate source, the risks associated with installing the patch should beassessed (the risks posed by the vulnerability should be compared with the risk of installing the patch);g) patches should be tested and evaluated before they are installed to ensure they are effective and donot result in side effects that cannot be tolerated; if no patch is available, other controls should beconsidered, such as:1) turning off services or capabilities related to the vulnerability;2) adapting or adding access controls, e.g. firewalls, at network borders (see 13.1);3) increased monitoring to detect actual attacks;4) raising awareness of the vulnerability;h) an audit log should be kept for all procedures undertaken;i) the technical vulnerability management process should be regularly monitored and evaluated inorder to ensure its effectiveness and efficiency;j) systems at high risk should be addressed first;k) an effective technical vulnerability management process should be aligned with incidentmanagement activities, to communicate data on vulnerabilities to the incident response functionand provide technical procedures to be carried out should an incident occur;l) define a procedure to address the situation where a vulnerability has been identified but there isno suitable countermeasure. In this situation, the organization should evaluate risks relating to theknown vulnerability and define appropriate detective and corrective actions.Other informationTechnical vulnerability management can be viewed as a sub-function of change management and assuch can take advantage of the change management processes and procedures (see 12.1.2 and 14.2.2).Vendors are often under significant pressure to release patches as soon as possible. Therefore, there isa possibility that a patch does not address the problem adequately and has negative side effects. Also, insome cases, uninstalling a patch cannot be easily achieved once the patch has been applied.If adequate testing of the patches is not possible, e.g. because of costs or lack of resources, a delay inpatching can be considered to evaluate the associated risks, based on the experience reported by otherusers. The use of ISO/IEC 27031[14] can be beneficial.11.6. Qun l cc im yu k thut

Mc tiu: Nhm gim thiu cc mi nguy him xut pht t vic tin tc li dng cc im yu k thut c cng b.Vic qun l cc im yu k thut cn c trin khai theo mt phng thc hiu qu, c h thng v lp li vi cc bin php c thc hin nhm xc nhn hiu qu ca n. Nhng i tng cn quan tm phi bao gm c cc h iu hnh, v cc ng dng khc ang c s dng.

11.6.1. Qun l cc im yu v k thutBin php qun lThng tin kp thi v cc im yu k thut ca cc h thng thng tin ang c s dng cn phi c thu thp. T chc cn cng b nh gi v cc im yu ny v thc hin cc bin php thch hp gii quyt cc ri ro lin quan.Hng dn trin khaiVic kim k cc ti sn hin c v b sung (xem 6.1) l mt iu kin tin quyt c c s qun l cc im yu k thut hiu qu. Cc thng tin c th cn h tr qun l cc im yu k thut bao gm nh cung cp phn mm, s lng phin bn, trng thi trin khai hin ti (v d phn mm no hin ang c ci t trong cc h thng no), v nhng c nhn trong t chc chu trch nhim v phn mm .Hot ng thch hp, kp thi cn c thc hin nhm nh danh cc im yu k thut tim n. Cn tun theo cc hng dn sau thit lp c mt quy trnh qun l cc im yu k thut hiu qu:a) t chc cn xc nh v thit lp cc nguyn tc v trch nhim lin quan n vic qun l cc im yu k thut, gm vic gim st cc im yu, nh gi ri ro ca cc im yu, v, theo di ti sn, v cc trch nhim phi hp bt k c yu cu;b) cc ti nguyn thng tin s c s dng nh danh cc im yu k thut lin quan v duy tr mi quan tm v chng cng cn c xc nh i vi phn mm v cc cng ngh khc (da trn danh sch kim k ti sn, xem 6.1.1); nhng ti nguyn thng tin ny cn c cp nht khi c nhng thay i trong bng kim k, hoc khi tm ra cc ngun ti nguyn mi hoc hu dng;c) cn xc nh thi hn phn ng li mi khi c cc thng bo v cc im yu k thut tim n;d) mi khi c mt im yu k thut tim n c xc nh, t chc cn xc nh cc ri ro lin quan v cc hot ng cn thc hin; hot ng c th ch l v cc h thng b tn hi v/hoc s dng cc bin php qun l khc;e) ty thuc s khn cp cn gii quyt cc im yu k thut m hot ng c xc nh phi c thc hin theo cc bin php qun l lin quan ti vic qun l s thay i (xem 11.5.1) hoc bng cch tun theo cc th tc i ph vi s c an ton thng tin (xem 12.2);f) nu bn v c sn th cc ri ro lin quan ti vic ci t bn v cn c nh gi (cc ri ro xut pht t im yu cn c so snh vi ri ro do ci t bn v);g) cc bn v cn c kim tra v nh gi trc khi chng c ci t nhm m bo s hiu qu v khng dn ti nhng tc dng ph qu sc chu ng ca h thng; nu khng c bn v no sn sng th cn quan tm n cc bin php qun l khc, v d:1) tt cc dch v hoc cc kh nng c lin quan ti im yu;2) sa li hoc a thm cc bin php qun l truy cp, v d t cc bc tng la ti cc bin gii mng (xem 10.4.5);3) tng cng gim st nhm pht hin hoc ngn chn cc tn cng thc s;4) nng cao nhn thc v im yu;h) duy tr mt nht k nh gi i vi tt c cc th tc thc hin;i) qu trnh qun l cc yu im k thut cn c gim st v nh gi nh k nhm m bo nh hng v hiu qu ca n;j) cc h thng c mc ri ro cao cn c tp trung x l trc tin.Thng tin khcThc hin chc nng chnh sa ca quy trnh qun l cc im yu k thut ca t chc l vn then cht i vi nhiu t chc v v vy cn c gim st nh k. Vic kim k ti sn chnh xc cng rt cn thit c th m bo c rng cc im yu k thut lin quan tim n u c xc nh.Vic qun l cc im yu k thut c th c coi nh l mt chc nng ph ca vic qun l s thay i v v th n c th tn dng c cc th tc v cc quy trnh qun l s thay i (xem 9.1.2 v 11.5.1).Cc nh cung cp thng phi chu p lc ln trong vic ban hnh cc bn v cng sm cng tt. V vy, mt bn v c th khng gii quyt c vn mt cch tha ng v c th gy ra nhng nh hng tiu cc. Hn na, trong mt s trng hp, vic g cc bn v c th li khng d dng nu bn v c p dng.Nu khng th kim tra cc bn v mt cch tha ng, v d do chi ph hoc do thiu ti nguyn, th cng c th cn nhc n vic tr hon v nh gi cc ri ro lin quan da trn kinh nghim c bo co bi nhng ngi dng khc.12.6.2 Restrictions on software installationControlRules governing the installation of software by users should be established and implemented.Implementation guidanceThe organization should define and enforce strict policy on which types of software users may install.The principle of least privilege should be applied. If granted certain privileges, users may have theability to install software. The organization should identify what types of software installations arepermitted (e.g. updates and security patches to existing software) and what types of installations areprohibited (e.g. software that is only for personal use and software whose pedigree with regard to beingpotentially malicious is unknown or suspect). These privileges should be granted having regard to theroles of the users concerned.Other informationUncontrolled installation of software on computing devices can lead to introducing vulnerabilities andthen to information leakage, loss--.. chua dichQuy nh iu chnh ci t ca phn mm bng cch s dng nn c thit lp v thc hin.hng dn thi hnhCc t chc phi xc nh v thc thi chnh sch nghim ngt m cc loi ca ngi s dng phn mm c th ci t.Cc nguyn tc c quyn ti thiu c p dng. Nu c cp c quyn nht nh, ngi dng c th c cckh nng ci t phn mm. Cc t chc cn xc nh nhng loi ci t phn mmcho php (v d nh cp nht v bn v li bo mt cho phn mm hin c) v nhng loi ci t lcm (v d nh phn mm l ch cho s dng c nhn v phn mm c lin quan vi ph h ckh nng c hi cha c bit hoc nghi ng). Nhng c quyn ny phi c cp c lin quan n ccvai tr ca ngi dng quan tm.cc thng tin khcKhng kim sot c ci t phn mm trn thit b my tnh c th dn n l hng v gii thiusau r r thng tin, mt12.7 Information systems audit considerationsObjective: To minimise the impact of audit activities on operational systems.12.7.1 Information systems audit controlsControlAudit requirements and activities involving verification of operational systems should be carefullyplanned and agreed to minimize disruptions to business processes.Implementation guidanceThe following guidelines should be observed:a) audit requirements for access to systems and data should be agreed with appropriate management;b) the scope of technical audit tests should be agreed and controlled;c) audit tests should be limited to read-only access to software and data;d) access other than read-only should only be allowed for isolated copies of system files, which shouldbe erased when the audit is completed, or given appropriate protection if there is an obligation tokeep such files under audit documentation requirements;e) requirements for special or additional processing should be identified and agreed;f) audit tests that could affect system availability should be run outside business hours;g) all access should be monitored and logged to produce a reference trail.

14.3. Xem xt vic nh gi cc h thng thng tinMc tiu: Nhm ti u ha v gim thiu nhng nh hng xu t/ti qu trnh nh gi cc h thng thng tin.Cn c cc bin php qun l nhm bo v an ton cho cc h thng vn hnh v cc cng c nh gi trong khi nh gi cc h thng thng tin.Vic bo v cng c yu cu nhm bo v tnh ton vn v ngn nga s lm dng cc cng c nh gi.

14.3.1. Cc bin php qun l nh gi cc h thng thng tinBin php qun lCc yu cu v hot ng nh gi cc h thng vn hnh cn c hoch nh thn trng v thng nht nhm hn ch ri ro hoc s v ca cc quy trnh hot ng nghip v.Hng dn trin khaiNhng hng dn sau cn c quan tm:a) cc yu cu nh gi cn c thng qua vi ban qun l;b) phm vi ca cc cuc kim tra cn c thng qua v qun l;c) cc cuc kim tra cn c gii hn ch truy cp c ti phn mm v d liu;d) cc truy cp khc ngoi truy cp ch c ch c cho php i vi cc bn sao c phn tch ca cc tp tin h thng, cc bn sao ny phi c xa b khi vic nh gi hon tt hoc c bo v ph hp nu c ngha v phi gi li cc tp tin theo cc yu cu ca h s nh gi;e) cc ngun ti nguyn s dng thc thi cc cuc kim tra phi c xc nh r v sn sng;f) cc yu cu v x l c bit hoc x l thm cng cn c xc nh r v c thng qua;g) mi truy cp u phi c gim st v ghi li cung cp vt tham chiu; vic s dng cc vt tham chiu theo thi gian cn c xem xt i vi cc h thng hoc d liu quan trng;h) mi th tc, yu cu v trch nhim u phi c lp thnh vn bn;i) (nhng) ngi thc hin nh gi cn c lp vi cc hot ng cn nh gi.14.3.2. Bo v cc cng c nh gi h thng thng tinBin php qun lTruy cp ti cc cng c nh gi h thng thng tin cn c bo v khi mi s lm dng hoc li dng.Hng dn trin khaiCc cng c nh gi h thng thng tin, v d, cc phn mm hoc tp d liu, cn c cch ly vi cc h thng vn hnh v pht trin v khng c gi trong cc th vin bng ghi m hoc cc khu vc c ngi dng, tr khi c bo v mc ph hp.Thng tin khcNu cng vic nh gi c s tham gia ca cc bn th ba th c th xut hin ri ro do cc bn th ba lm dng cc cng c nh gi v truy cp vo thng tin. Cc bin php qun l nh 5.2.1 ( nh gi ri ro) v 8.1.2 ( hn ch truy cp vt l) c th cn c quan tm gii quyt ri ro ny v mi hu qu ca n, v d ngay lp tc thay i cc mt khu c tit l cho cc nhn vin nh gi13 Communications security13.1 Network security managementObjective: To ensure the protection of information in networks and its supporting information processingfacilities.13.1.1 Network controlsControlNetworks should be managed and controlled to protect information in systems and applications.Implementation guidanceControls should be implemented to ensure the security of information in networks and the protection ofconnected services from unauthorized access. In particular, the following items should be considered:a) responsibilities and procedures for the management of networking equipment should be established;b) operational responsibility for networks should be separated from computer operations whereappropriate (see 6.1.2);c) special controls should be established to safeguard the confidentiality and integrity of datapassing over public networks or over wireless networks and to protect the connected systemsand applications (see Clause 10 and 13.2); special controls may also be required to maintain theavailability of the network services and computers connected;d) appropriate logging and monitoring should be applied to enable recording and detection of actionsthat may affect, or are relevant to, information security;e) management activities should be closely coordinated both to optimize the service to theorganization and to ensure that controls are consistently applied across the information processinginfrastructure;f) systems on the network should be authenticated;g) systems connection to the network should be restricted.Other informationAdditional information on network security can be found in ISO/IEC 27033.[15][16][17][18][19]13.1 Mng li qun l an ninhMc tiu: m bo vic bo v thng tin trong mng li v x l thng tin h tr ca nc s vt cht.13.1.1 iu khin mngKim sotMng phi c qun l v kim sot bo v thng tin trong cc h thng v cc ng dng.Hng dn thi hnhiu khin nn c thc hin m bo an ninh thng tin trong mng v bo vdch v kt ni vi nhng truy cp tri php. c bit, cc mc sau y cn c xem xt:a) Trch nhim v th tc cho vic qun l cc thit b mng cng cn c thnh lp;b) Trch nhim hot ng cho mng li nn c tch ra t cc hot ng my tnh uthch hp (xem 6.1.2);c) iu khin c bit cn c thit lp bo v s bo mt v tnh ton vn ca d liui qua cc mng cng cng hoc trn cc mng khng dy v bo v cc h thng kt niv cc ng dng (xem mc 10 v 13.2); kim sot c bit cng c th c yu cu duy trsn c ca cc dch v mng v my tnh kt ni;d) Khai thc g v gim st thch hp nn c p dng cho php ghi m v pht hin cc hnh ngc th nh hng, hoc c lin quan n an ninh thng tin;e) Cc hot ng qun l nn c phi hp cht ch c ti u ha cc dch v chot chc v m bo rng vic kim sot c p dng thng nht trn ton vic x l thng tinc s h tng;f) cc h thng trn mng phi c chng thc;g) H thng kt ni vo mng nn c hn ch.Cc thng tin khcB sung thng tin v an ninh mng c th c tm thy trong ISO / IEC 27033. [15] [16] [17] [18] [19]13.1.2 Security of network servicesControlSecurity mechanisms, service levels and management requirements of all network services should beidentified and included in network services agreements, whether these services are provided in-houseor outsourced.Implementation guidanceThe ability of the network service provider to manage agreed services in a secure way should bedetermined and regularly monitored, and the right to audit should be agreed.The security arrangements necessary for particular services, such as security features, service levelsand management requirements, should be identified. The organization should ensure that networkservice providers implement these measures.Other informationNetwork services include the provision of connections, private network services and value addednetworks and managed network security solutions such as firewalls and intrusion detection systems.These services can range from simple unmanaged bandwidth to complex value-added offerings.Security features of network services could be:a) technology applied for security of network services, such as authentication, encryption and networkconnection controls;b) technical parameters required for secured connection with the network services in accordancewith the security and network connection rules;c) procedures for the network service usage to restrict access to network services or applications,where necessary.13.1.2 an ninh ca cc dch v mngKim sotC ch bo mt, mc dch v v yu cu qun l ca tt c cc dch v mng nn cxc nh v bao gm trong tha thun cc dch v mng, cho d cc dch v ny c cung cp trong nhhoc thu ngoi.Hng dn thi hnhKh nng ca cc nh cung cp dch v mng qun l cc dch v tho thun trong mt cch an ton nn cxc nh v theo di thng xuyn, v quyn c kim ton phi c s ng .Cc bin php an ninh cn thit cho cc dch v c bit, chng hn nh tnh nng bo mt, mc dch vv yu cu qun l, cn c xc nh. Cc t chc phi m bo rng mngcc nh cung cp dch v thc hin cc bin php ny.Cc thng tin khc

Cc dch v mng bao gm vic cung cp cc kt ni, dch v mng ring v gi tr gia tngmng v cc gii php an ninh mng c qun l nh tng la v cc h thng pht hin xm nhp.Nhng dch v ny c th dao ng t bng thng n gin khng c qun l cho cc dch v gi tr gia tng phc tp.Tnh nng bo mt ca dch v mng c th l:a) p dng cng ngh bo mt ca dch v mng, chng hn nh chng thc, m ha v mngiu khin kt ni;b) Cc thng s k thut cn thit kt ni bo mt vi cc dch v mng theo quy nhvi cc quy tc bo mt v kt ni mng;c) cc th tc cho vic s dng dch v mng hn ch quyn truy cp vo cc dch v mng hoc cc ng dng,khi cn thit.13.1.3 Segregation in networksControlGroups of information services, users and information systems should be segregated on networks.Implementation guidanceOne method of managing the security of large networks is to divide them into separate network domains.The domains can be chosen based on trust levels (e.g. public access domain, desktop domain, serverdomain), along organizational units (e.g. human resources, finance, marketing) or some combination (e.g.server domain connecting to multiple organizational units). The segregation can be done using eitherphysically different networks or by using different logical networks (e.g.virtual private networking).The perimeter of each domain should be well defined. Access between network domains is allowed, butshould be controlled at the perimeter using a gateway (e.g. firewall, filtering router). The criteria forsegregation of networks into domains, and the access allowed through the gateways, should be basedon an assessment of the security requirements of each domain. The assessment should be in accordancewith the access control policy (see 9.1.1), access requirements, value and classification of informationprocessed and also take account of the relative cost and performance impact of incorporating suitablegateway technology.Wireless networks require special treatment due to the poorly defined network perimeter. For sensitiveenvironments, consideration should be made to treat all wireless access as external connections andto segregate this access from internal networks until the access has passed through a gateway inaccordance with network controls policy (see 13.1.1) before granting access to internal systems.The authentication, encryption and user level network access control technologies of modern, standardsbased wireless networks may be sufficient for direct connection to the organizations internal networkwhen properly implemented.Other informationNetworks often extend beyond organizational boundaries, as business partnerships are formed thatrequire the interconnection or sharing of information processing and networking facilities. Suchextensions can increase the risk of unauthorized access to the organizations information systems thatuse the network, some of which require protection from other network users because of their sensitivity or criticality.10.4.5. Phn tch trn mngBin php qun lCc nhm ngi dng, dch v v h thng thng tin cn c phn tch trn cc mng.Hng dn trin khaiMt phng php kim sot an ton cho cc mng ln l phn tch chng thnh cc vng mng logic, v d cc vng mng bn trong v cc vng mng bn ngoi ca t chc, mi vng c bo v bi mt vnh ai an ton xc nh. Mt b cc bin php qun l tng tin c th c p dng trong cc vng mng logic khc nhau tip tc phn tch tip cc mi trng an ninh mng, v d cc h thng truy cp cng cng, cc mng ni b v cc ti sn quan trng. Cc vng cn c xc nh da trn qu trnh nh gi ri ro v cc yu cu an ton thng tin khc nhau trong tng lnh vc.Mt vnh ai mng nh vy c th c trin khai khi ci t mt cng an ton gia hai mng kt ni vi nhau qun l truy cp v lung thng tin gia hai min, cng an ton ny cn c cu hnh lc lu lng gia cc min ny (xem 10.4.6 v 10.4.7) v chn truy cp tri php theo quy nh ca chnh sch qun l truy cp ca t chc (xem 10.1). Tng la l mt v d ca cng an ton. Mt phng php phn tch cc min logic khc l hn ch truy cp mng bng cch s dng mng ring o cho cc nhm ngi dng trong t chc.Cc mng cng c th c phn tch nh tnh nng ca thit b mng, v d chuyn mch IP. Khi cc min phn tch c th c trin khai khi qun l cc lung d liu mng bng cc nng lc nh tuyn/chuyn mch, v d tnh nng danh sch qun l truy cp.Tiu ch phn tch mng cn da trn chnh sch qun l truy cp v cc yu cu truy cp (xem 9.1), v cng cn xem xt chi ph tng i v nh hng ca nh tuyn mng hp l hoc cng ngh cng ln cht lng mng (xem 10.4.6 v 10.4.7).Hn na, vic phn tch mng cng cn da trn gi tr v s phn loi thng tin c lu tr hoc c x l trong mng, cc mc tin cy hoc cc gii hn nghip v lm gim nh hng tng th ca vic phn tch dch v.Cn quan tm n vic phn tch cc mng khng dy khi cc mng ni b v mng c nhn. Nu khng xc nh c cc vnh ai mng ca mng khng dy th cn thc hin nh gi ri ro xc nh cc bin php qun l (v d xc thc mnh, cc phng php m ha, v la chn tn s) duy tr s phn tch mng.Thng tin khcMng cng ngy cng c xu hng m rng ra ngoi ranh gii ca t chc, v cc quan h i tc kinh doanh c hnh thnh c th yu cu kt ni hoc chia s cc phng tin mng v phng tin x l thng tin. Cc mng m rng c th lm tng nguy c truy cp tri php vo cc h thng thng tin hin ang s dng mng, mt s mng m rng c th i hi phi c bo v trc nhng ngi dng mng khc v tnh cht quan trng hay nhy cm ca cc mng ny.13.2 Information transferObjective: To maintain the security of information transferred within an organization and with anyexternal entity.13.2.1 Information transfer policies and proceduresControlFormal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities.Implementation guidanceThe procedures and controls to be followed when using communication facilities for informationtransfer should consider the following items:a) procedures designed to protect transferred information from interception, copying, modification,mis-routing and destruction;b) procedures for the detection of and protection against malware that may be transmitted throughthe use of electronic communications (see 12.2.1);c) procedures for protecting communicated sensitive electronic information that is in the form ofan attachment;d) policy or guidelines outlining acceptable use of communication facilities (see 8.1.3);e) personnel, external party and any other users responsibilities not to compromise the organization,e.g. through defamation, harassment, impersonation, forwarding of chain letters, unauthorizedpurchasing, etc.;f) use of cryptographic techniques e.g. to protect the confidentiality, integrity and authenticity ofinformation (see Clause 10);g) retention and disposal guidelines for all business correspondence, including messages, in accordancewith relevant national and local legislation and regulations;h) controls and restrictions associated with using communication facilities, e.g. automatic forwarding of electronic mail to external mail addresses;i) advising personnel to take appropriate precautions not to reveal confidential information;j) not leaving messages containing confidential information on answering machines since these may be replayed by unauthorized persons, stored on communal systems or stored incorrectly as a result of misdialling;k) advising personnel about the problems of using facsimile machines or services, namely:1) unauthorized access to built-in message stores to retrieve messages;2) deliberate or accidental programming of machines to send messages to specific numbers;3) sending documents and messages to the wrong number either by misdialling or using the wrongstored number.In addition, personnel should be reminded that they should not have confidential conversations in publicplaces or over insecure communication channels, open offices and meeting places.Information transfer services should comply with any relevant legal requirements (see 18.1).Other informationInformation transfer may occur through the use of a number of different types of communicationfacilities, including electronic mail, voice, facsimile and video.Software transfer may occur through a number of different mediums, including downloading from theInternet and acquisition from vendors selling off-the-shelf products.The business, legal and security implications associated with electronic data interchange, electroniccommerce and electronic communications and the requirements for controls should be considered.9.8. Trao i thng tinMc tiu: Nhm duy tr an ton cho cc thng tin v phn mm c trao i trong ni b t chc hoc vi cc thc th bn ngoi.Nhng trao i thng tin v phn mm gia cc t chc cn da trn mt chnh sch trao i chnh thc, c thc hin theo cc tha thun trao i, v cn tun th cc quy nh ca php lut lin quan.Cn thit lp cc th tc v cc tiu chun nhm bo v thng tin v phng tin vt l cha thng tin trong qu trnh trao i

9.8.1. Cc chnh sch v th tc trao i thng tinBin php qun lCc chnh sch, th tc v bin php qun l chnh thc cn phi sn c bo v s trao i thng tin thng qua h thng truyn thng.Hng dn trin khaiCc bin php v th tc cn tun th khi s dng cc phng tin truyn thng in t trong trao i thng tin cn quan tm n cc vn sau:a) cc th tc c thit k nhm bo v thng tin c trao i khi s nghe ln, sao chp, sa i, sai a ch, v ph hy;b) cc th tc nhm pht hin v bo v chng li m c hi b pht tn khi s dng cc phng tin truyn thng in t (xem 9.4.1);c) cc th tc nhm bo v thng tin in t nhy cm c trao i c tp tin nh km;chnh sch hoc cc hng dn s lc v s dng cc phng tin truyn thng in t (xem 6.1.3);e) cc th tc s dng cc phng tin truyn thng v tuyn, quan tm n cc ri ro c th;f) trch nhim ca nhn vin, ngi ca nh thu v nhng ngi dng khc trong vic khng lm nh hng xu n t chc, v d ph bng, quy ri, mo danh, chuyn cc bc th hng lot, mua bn tri php...;g) c th s dng cc k thut mt m nhm bo v tnh b mt, tnh ton vn v tnh xc thc ca thng tin (xem 11.3);h) hng dn ngn chn v hy b cc th t giao dch, bao gm c cc thng ip, theo cc quy nh v quy ch ni b v quc gia c lin quan;i) khng c thng tin nhy cm hoc thng tin quan trng trn cc thit b in n, v d cc my sao chp ti liu, my in, my qut, v chng c th b truy cp bi nhng c nhn khng c php;j) cc bin php qun l v cc hn ch lin quan n vic chuyn tip cc phng tin truyn thng, v d t ng chuyn tip th in t vo cc a ch hp th bn ngoi;k) nhc nh vi mi ngi v vic thc hin phng, v d khng tit l thng tin nhy cm nhm trnh khng b nghe lm hoc b nghe trm khi ang gi in thoi bi:1) nhng ngi xung quanh, c bit l khi ang s dng in thoi di ng;2) nghe trm, v cc hnh thc nghe trm khc thng qua truy nhp vt l n my in thoi cm tay hoc ng in thoi, hoc s dng cc my thu qut;3) nhng ngi u my kia;I) khng cc thng ip cha thng tin nhy cm cc my tr li v cc thng ip ny c th b nhng ngi khng c quyn nghe li, ct gi trn cc h thng cng cng hoc ct gi khng ng quy cch do quay s nhm;m) nhc nh vi mi ngi v cc s c do s dng my sao chp, c th l:1) truy cp tri php vo cc b lu gi thng ip bn trong nhm ly cc thng ip;2) c hoc v tnh lp trnh cho cc my thc hin gi cc-thng ip n cc s c th no ;3) do quay s sai hoc s dng s lu tr sai m gi nhm cc ti liu v cc thng ip;n) nhc nh mi ngi khng c ng k d liu c nhn, v d cc thng tin nh a ch th in t hoc cc thng tin c nhn khc, trong bt c phn mm no nhm trnh b thu thp thng tin cho cc mc ch s dng tri php;o) nhc nh mi ngi rng cc my sao chp ti liu hin i u c cc b nh trong v c th lu c ni dung cc trang trong trng hp c li truyn dn hoc li v giy in, cc trang ny s c in li ngay khi li c khc phc.Hn na, cng cn nhc nh mi ngi khng c ni nhng iu b mt cc ni cng cng hoc cc vn phng rng v cc ni hp hp khng c tng cch m.Cc phng tin trao i thng tin cn tun th cc yu cu php l lin quan (xem 14).Thng tin khcC th xy ra trao i thng tin khi s dng nhiu loi phng tin truyn thng khc nhau, bao gm th in t, thoi, sao chp, v hnh nh.C th xy ra trao i phn mm thng qua nhiu phng thc khc nhau, bao gm ti thng tin t internet v ti thng tin c cc nh cung cp cc sn phm mua c sn yu cu.Cn quan tm n nhng vn v an ton, php l v nghip v lin quan n vic trao i d liu in t, thng mi in t, truyn thng in t v cc yu cu v cc bin php qun l.Thng tin c th b tn hi do s thiu hiu bit, cc th tc v chnh sch s dng cc phng tin trao i thng tin, v d b nghe trm trn my in thoi di ng ni cng cng, chuyn sai a ch ca thng ip th in t, cc my tr li b nghe trm, truy cp tri php n cc h thng hp th thoi quay s hoc v tnh gi nhm n thit b sao chp ti liu.Cc hot ng nghip v c th b ph v v thng tin c th b tn hi nu cc phng tin truyn thng b li, b qu ti hoc b ngt kt ni (xem 9.3 v iu 13). Thng tin c th b tn hi nu b truy cp bi nhng ngi dng tri php (xem iu 10).13.2.2 Agreements on information transferControlAgreements should address the secure transfer of business information between the organization andexternal parties.Implementation guidanceInformation transfer agreements should incorporate the following:a) management responsibilities for controlling and notifying transmission, dispatch and receipt;b) procedures to ensure traceability and non-repudiation;c) minimum technical standards for packaging and transmission;d) escrow agreements;e) courier identification standards;f) responsibilities and liabilities in the event of information security incidents, such as loss of data;g) use of an agreed labelling system for sensitive or critical information, ensuring that the meaning ofthe labels is immediately understood and that the information is appropriately protected (see 8.2);h) technical standards for recording and reading information and software;i) any special controls that are required to protect sensitive items, such as cryptography (see Clause 10);j) maintaining a chain of custody for information while in transit;k) acceptable levels of access control.Policies, procedures and standards should be established and maintained to protect information andphysical media in transit (see 8.3.3), and should be referenced in such transfer agreements.The information security content of any agreement should reflect the sensitivity of the businessinformation involved.Other informationAgreements may be electronic or manual, and may take the form of formal contracts. For confidentialinformation, the specific mechanisms used for the transfer of such information should be consistent for all organizations and types of agreements.9.8.2. Cc tha thun trao iBin php qun lCc tha thun cn c thit lp cho vic trao i thng tin v phn mm gia t chc v cc thc th bn ngoi.Hng dn trin khaiCc tha thun trao i cn quan tm n cc iu kin an ton sau y:a) cc trch nhim ca ban qun l trong vic qun l v thng bo v vic truyn, gi v nhn thng tin chuyn giao;b) cc th tc thng bo vi ngi gi v vic truyn, gi v nhn;c) cc th tc m bo kh nng truy vt v khng th chi b;d) cc tiu chun k thut ti thiu cho vic ng gi v truyn;e) cc tha thun giao ko;f) cc tiu chun nhn dng cch thc chuyn;g) cc trch nhim v ngha v khi c cc s kin an ton thng tin, nh mt d liu;h) s dng h thng dn nhn tha thun i vi cc thng tin quan trng hoc nhy cm, m bo rng ngha ca cc nhn c th c hiu ngay v thng tin c bo v ph hp;i) quyn s hu v cc trch nhim bo v d liu, bn quyn, tun th bn quyn phn mm v cc vn tng t khc (xem 14.1.2 v 14.1.4);j) cc tiu chun k thut cho ghi v c thng tin v phn mm;k) cc bin php qun l c bit c th c yu cu nhm bo v cc danh mc thng tin nhy cm, nh cc kha bo mt (xem 11.3).Cc chnh sch, th tc, v tiu chun cn c thit lp v c qun l nhm bo v thng tin v phng tin vt l trong qu trnh trao i (xem thm 9.8.3), v cn c tham chiu trong cc tha thun trao i.Ni dung v an ton ca cc tha thun cn th hin nhy cm ca thng tin nghip v lin quan. Thng tin khcCc tha thun c th dng in t hoc vit tay, v hnh thc c th nh cc bn hp ng chnh thc hoc cc iu kin tuyn dng. i vi thng tin nhy cm th cc c ch c bit s dng cho trao i thng tin cn ph hp vi tt c cc t chc v cc loi tha thun.13.2.3 Electronic messagingControlInformation involved in electronic messaging should be appropriately protected.Implementation guidanceInformation security considerations for electronic messaging should include the following:a) protecting messages from unauthorized access, modification or denial of service commensuratewith the classification scheme adopted by the organization;b) ensuring correct addressing and transportation of the message;c) reliability and availability of the service;d) legal considerations, for example requirements for electronic signatures;e) obtaining approval prior to using external public services such as instant messaging, socialnetworking or file sharing;f) stronger levels of authentication controlling access from publicly accessible networks.Other informationThere are many types of electronic messaging such as email, electronic data interchange and socialnetworking which play a role in business communications.9.8.4. Thng ip in t Bin php qun lThng tin bao hm trong cc thng ip in t cn c bo v mt cch tha ng.Hng dn trin khaiCn quan tm n cc vn an ton sau i vi thng ip in t:a) bo v thng ip khi s truy cp tri php, sa i hoc t chi dch v;b) m bo nh ng a ch v gi ng a ch thng ip;c) tin cy v sn sng chung ca dch v;d) cc vn php l, v d cc yu cu v ch k in t;e) c chp thun trc khi s dng cc dch v cng cng bn ngoi nh nhn tin nhanh hoc chia s tp;f) truy cp t cc mng cng cng d truy cp phi c qun l bng mc xc thc cao hn. Thng tin khcThng ip in t nh th in t, trao i d liu in t (EDI), v nhn tin nhanh ng vai tr ngy cng cao trong cc giao dch thng mi. Thng ip in t cha nhiu ri ro hn truyn thng bng giy.13.2.4 Confidentiality or non-disclosure agreementsControlRequirements for confidentiality or non-disclosure agreements reflecting the organizations needs forthe protection of information should be identified, regularly reviewed and documented.Implementation guidanceConfidentiality or non-disclosure agreements should address the requirement to protect confidentialinformation using legally enforceable terms. Confidentiality or non-disclosure agreements areapplicable to external parties or employees of the organization. Elements should be selected or addedin consideration of the type of the other party and its permissible access or handling of confidentialinformation. To identify requirements for confidentiality or non-disclosure agreements, the followingelements should be considered:a) a definition of the information to be protected (e.g. confidential information);b) expected duration of an agreement, including cases where confidentiality might need to bemaintained indefinitely;c) required actions when an agreement is terminated;d) responsibilities and actions of signatories to avoid unauthorized information disclosure;e) ownership of information, trade secrets and intellectual property, and how this relates to theprotection of confidential information;f) the permitted use of confidential information and rights of the signatory to use information;g) the right to audit and monitor activities that involve confidential information;h) process for notification and reporting of unauthorized disclosure or confidential information leakage;i) terms for information to be returned or destroyed at agreement cessation;j) expected actions to be taken in case of a breach of the agreement.Based on an organizations information security requirements, other elements may be needed in aconfidentiality or non-disclosure agreement.Confidentiality and non-disclosure agreements should comply with all applicable laws and regulationsfor the jurisdiction to which they apply (see 18.1).Requirements for confidentiality and non-disclosure agreements should be reviewed periodically andwhen changes occur that influence these requirements.Other informationConfidentiality and non-disclosure agreements protect organizational information and inform signatoriesof their responsibility to protect, use and disclose information in a responsible and authorized manner.There may be a need for an organization to use different forms of confidentiality or non-disclosureagreements in different circumstances.13.2.4 mt hoc khng cng b tha thun Bin php qun lCc yu cu v bo mt hoc cc tha thun khng tit l phn nh nhu cu ca t chc i vi vic bo v thng tin phi c xc nh r v thng xuyn sot xt li.Hng dn trin khaiCc tha thun bo mt hoc khng tit l cn tp trung vo cc yu cu nhm bo v thng tin mt vi cc iu khon c kh nng thc thi v mt php l. Khi xc nh cc yu cu i vi cc tha thun bo mt hoc khng tit l, cn quan tm n cc yu t sau:a) nh ngha v thng tin cn c bo v (v d, thng tin mt);b) khong thi gian d kin ca tha thun, bao gm c cc trng hp yu cu bo mt khng thi hn;c) cc hot ng c yu cu khi kt thc tha thun;d) cc trch nhim v hnh ng ca cc bn k kt nhm trnh tit l thng tin tri php;e) quyn s hu thng tin, cc b mt giao dch v quyn s hu tr tu, v mi quan h ca chng vi vic bo v thng tin mt;f) vic c php s dng thng tin mt v cc quyn ca ngi k kt s dng thng tin;g) quyn nh gi v gim st cc hot ng lin quan n thng tin mt;h) quy trnh thng bo v bo co v vic tit l tri php hoc nhng l hng thng tin mt;i) cc iu khon i vi thng tin c tr v hoc b hy khi chm dt tha thun;j) cc hnh ng d kin trong trng hp c vi phm tha thun.Da trn cc yu cu v an ton thng tin ca t chc, c th a thm mt s iu khon khc vo tha thun khng tit l hoc tha thun bo mt.Cc tha thun bo mt v khng tit l cn tun th tt c nhng quy nh v iu lut ph hp (xem thm 14.1.1);Cc yu cu i vi cc tha thun bo mt v khng tit l cn c sot xt nh k v ti cc thi im xy ra thay i lm nh hng n cc yu cu ny.Thng tin khcCc tha thun bo mt hoc khng tit l s bo v cc thng tin ca t chc v thng bo cho cc bn k kt v trch nhim ca h trong vic bo v, s dng v tit l thng tin mt cch c trch nhim v ng thm quyn.Mi t chc cng cn s dng cc hnh thc tha thun bo mt hoc khng tit l khc nhau theo tng tnh hung c th.