View
216
Download
0
Embed Size (px)
1
2006 5 15
NIST SP800
IPA
1. 20042005
2005 3 2005 8
2005 10 2006 2BCP1BCP
BCP
BCPBCP BCP/BCM2
ITBCP
(Disaster Management in Japan) 13(1880) 21(1946) 34(1959)
IT IT
1 BCPBusiness Continuity Planning 2 BCMBusiness Continuity Management=
2
2. ISO/IEC17799NIST SP800 Contingency Plan
Computer Security Incident HandlingNIST31995 SP4800-12 An Introduction to Computer Security: The NIST HandbookNIST 11PREPARING FOR CONTINGENCIES AND DISASTERS 12 COMPUTER SECURITY INCIDENT HANDLING20026SP800-34 Contingency Planning Guide for Information Technology SystemsIT2004 1SP800-61 Computer Security Incident Handling Guide2005 11SP800-83 Guide to Malware Incident Prevention and Handling
ISO/IEC17799
Compliance ( 11 )
Business continuity management ( 5 )
Systems development & maintenance ( 18 )
Access control ( 31 )
Communications & operations management 24)
Physical & environmental security ( 13 )
Personnel security ( 10 )
Asset classification & control ( 3 )
Security organization ( 10)
Security policy ( 2 )
ISO/IEC 17799:2000ISO/IEC 17799:2000JIS X 5080
Information security incident management ( 5 )
Compliance ( 10 )
Business continuity management ( 5 )
Information systems acquisition, development and maintenance ( 16 )
Access control ( 25 )
Communications & operations management ( 32 )
Physical & environmental security ( 13 )
Human resources security ( 9 )
Asset management ( 5 )
Organizing information security ( 11 )
Security policy ( 2 )
ISO/IEC 17799:2005ISO/IEC 17799:2005JIS Q 27002
17799:2005
ISO/IEC 17799:2000ISO/IEC 17799:2000JISJIS X 5080 ISO/IEC 17799:2005ISO/IEC 17799:2005JISJIS Q 27002
ISO/IEC17799:2000 ISO/IEC17799:2005
3 NISTNational Institute of Standards and Technology 4 SP: Special Publications NIST
3
ISO/IEC17799:2000(2000) 109Business Continuity ManagementISO/IEC17799:2005(2005)(Information Security Incident Management) 1110Business Continuity Management2000 2005
2000 2005 ISO/IEC17799:2000JIS X 5080 11. 11.1 Aspects of business continuity management
ISO/IEC17799:2005 14 14.1 Information security aspects of business continuity management
2000 Aspects of business continuity management2005 Information security aspects of business continuity management2005
4
2000 2005
2000JIS X 508011.1.2
2005 214.1.2
20002005 3. BCPContingency Plan5 17 3 INTAP 16
ITDR6
ITDR
( IT)ITDRITIT IT
IT BCP IT IT INTAP IT 1 2006 3ITDR
5 Contingency Plan: 6 ITDR: IT Disaster Recovery IT
5
IT Disaster RecoveryIT Contingency PlanningBCPContingency PlanDisasters Recovery Plan(Incident Response Plan)
BCPContingency Plan BCP CPBCP CPBCP
BCP
NIST SP800-34 IT 7BCPBCP IT IT 2001 9 11
9,000
BCP BCP BCM BCM BCM IT(20043 44.3 http://www.bcijapan.jp/documents/BCM_survey.pdf 7 NIST SP800-34 Contingency Planning Guide for Information Technology Systems (ITSP800-34 ITSP800-34
6
IT IT ISO/IEC17799
BCPIT IT IT
2004 10
CSR IT
NISTITNIST SP800-34 ITIT NIST SP800-342.2 IT
ITIT SP800-34 8 BCP: Business Continuity Plan BRP: Business Recovery (or Resumption) Plan COOP: Continuity of Operations Plan /IT(Continuity of Support Plan/IT Contingency Plan) (Crisis Communications Plan) (Cyber Incident Response Plan)
7
DRP: Disaster Recovery Plan OEP: Occupant Emergency Plan IT ITIT IT not business process focusedNISTITSP800-34 IT
not business process focused
SP800-34 IT IT
IT ITIT ITSP800-34
IT
12 6.3.2 BCP http://www.bits.go.jp/active/general/pdf/k303-052.pdf 4. NIST SP800-34 8 2 IT
Reference Model
8
NIST SP800-34 2.2 IT
Ultimately, an organization would use a suite of plans to properly prepare response, recovery, and continuity activities for disruptions affecting the organizations IT systems, business processes, and the facility.shall shouldwouldSP800-34NIST
NISTIT
IT
(BCP)
(OEP)
(DRP)
/IT
(COOP)
(BRP)
2
IT IT
9
NISTIT BCP/BCMISO2BCI8Good Practice GuidelinesBSIPAS956 Guide to Business Continuity ManagementNFPA10NFPA1600Standard on Disaster/Emergency Management and Business Continuity Programs20042
NFPA1600AAnnex A Explanatory Material A.5.3.2The hazard identification should include, but is not limited to, following types of potential hazards:(
)SARS
5.
DRII11BCI10
1 2 3 4
8 BCI: The Business Continuity Institute 9 PAS: Publicly Available Specification :PAS56 10 NPA: National Fire Protection Association: 11 DRII: Disaster Recovery Institute International 1988
10
5 6 7 8 9 10 Co-ordination with External Agencies
BCP
BCPWebWebWeb
ITIT
IT
6. ISO/IEC17799SP800-53 SP800-34NISTSPISO/IEC17799SP800-53 Recommended Security Controls for Federal Information SystemsISO/IEC17799 SP800-53 ISO/IEC17799:200511 133SP800-5317 160ISO/IEC17799:2005 5 SP800-53 IT9
11
NIST SP 800-53 3 1
CPCP-1
SC
AU
AC
IA
AT
IR (Incident Response)MP
SI
MA
CM
CP (Contingency Planning)PE
PS
CA
SA
PL
RA
*
3SP800-53CP
*
CP-1
CP-2
CP-3
CP-4
CP-5
CP-6
CP-7
CP-8
CP-9
CP-10
17163
Information security incident management
Compliance
Business continuity management
Information systems acquisition, development and maintenance
Access control
Communications & operations management
Physical & environmental security
Human resources security
Asset management
Organizing information security
Security policy
ISO/IEC 17799:2005ISO/IEC 17799:2005
4ISO/IEC17799:2005(BCP)
14.1 Information security aspects of business continuity management()
14.1.1 Including information security in the business continuity management process
()14.1.2 Business continuity and risk assessment
()14.1.3 Developing and implementing continuity
plans including information security(
)14.1.4 Business continuity planning framework
()14.1.5 Testing, maintaining and re-assessing
business continuity plans()
11133
12
SP SP800-53 SP800-53
SP800-30 Risk Management Guide for Information Technology Systems ( IT)CP(SP800-34 Contingency Planning Guide for Information Technology SystemsITIRSP800-61 Computer Security Incident Handling Guide SP800-83 Guide to Malware Incident Prevention and Handling ( IPANRI()2006 3 12 SP800-53SP800-34SP800-61WebSP800-83 6. SP800-34 IT
SP800-34IT
IT
SP800-34 1. 2. 3. 4. 5. 7 6. 7.
6.1 IT
IT
SP800-34 ITIT
13
SP800-34
IT
IT ISO/IEC17799:2005 10.4.1
6.2
SP800-342.3
SDLC: System Development Life Cycle IT / /
SDLC: System Development Life Cycle//
6.3
14
IT IT
4
6.4 IT SP800-347 (1) (2) (3) (4) (5)IT (6) (7) ITIT 6
6 IT
LANWAN
LANWAN
1. 2. 3. 4.
2.
IT
LANWAN
LANWAN
8
SOPStandard Operating Procedure)
15
7. SP800-34DIT
:
16
http://www.meti.go.jp/report/downloadfiles/g50331d06j.pdf http://www.meti.go.jp/report/data/g50331dj.html http://www.bcijapan.jp/documents/guideline01.pdf
http://www.bousai.go.jp/MinkanToShijyou/shiryou4.pdf (Disaster Management in Japan) http://www.bousai.go.jp/panf/saigaipanf.pdf IT http://www.bcijapan.jp/documents/BCM_survey.pdf INTAP 16 ( 17 3) http://www.net.intap.or.jp/INTAP/information/report/16-business-report.pdf http://www.boj.or.jp/about/03/data/sai0307a.pdf 2003 7 http://www.boj.or.jp/set/03/data/fsk0307a.pdf BCP((2004 6 23 ) http://www.tse.or.jp/guide/bcp/bcp2004.pdf Business Continuity Management Good Practice Guidelines (2005)
http://www.thebci.org/goodpracticeguidetoBCM.pdf NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2004 Edition http://www.state.nj.us/njoem/pdf/nfpa1600.pdf NIST SP800 http://csrc.nist.gov/ http://www.ipa.go.jp/security/publications/nist/ SP800-12 An Introduction to Computer Security: The NIST Handbook
(October 1995) SP800-34 Contingency Planning Guide for Information Technology Systems IT (June 2002) SP800-61 Computer Security Incident Handling Guide (January 2004) SP800-83 Guide to Malware Incident Prevention and Handling (November 2005) SP800-53 Recommended Security Controls for Federal Information Systems (February 2005)
17
ISO/IEC17799 JIS X 5080 ISO/IEC 17799:2000 ISO/IEC 17799:2005
http://www.bits.go.jp/active/general/pdf/k303-052.pdf 2005 12
http://www.
Recommended
View more >
