GB/T 19716-2005 English PDF
Basic dataStandard ID: GB/T 19716-2005 (GB/T19716-2005)Description (Translated English): IT information security management Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 51,531 Date of Issue: 2005-04-19 Date of Implementation: 2005-10-01 Adopted Standard: ISO/IEC 17799-2000, MOD Regulation (derived from): Announcement of Newly Approved National Standards No. 6 of 2005 (No. 80 overall); Announcement of Newly Approved National Standards No. 10 of 2008 (total 123) Issuing agency(ies): General Administration of Quality Supervision, Inspection and Quarantine of the People Republic of China, China National Standardization Administration Committee Summary: This standard applies to give recommendations for information security management, the organization responsible for initiating, implementing or maintaining security personnel. This standard for the development of the organization's security standards and effective security management practices to provide public infrastructure, and to provide interaction between organizations trust. Recommended content of wood should be standard in accordance with applicable laws and regulations of our country to be selected and used. GB/T 19716-2005: IT information security management---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.IT information security management ICS 35.040 L80 National Standards of People's Republic of China Practical rules for information technology information security management (ISO /IEC 17799..2000, MOD) Released on.2005-04-19 Implemented.2005-10-01 General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China China National Standardization Administration issued ContentForeword III Introduction IV 1 Scope 1 2 Terms and Definitions 1 2.1 Information Security 1 2.2 Risk Assessment 1 2.3 Risk Management 1 3 Security Policy 1 3.1 Information Security Policy 1 4 Organizational safety 2 4.1 Information Security Infrastructure 2 4.2 Security of third party access 4 4.3 Outsourcing 5 5 Asset classification and control 6 5.1 Verifiability of assets 6 5.2 Information Classification 6 6 Personnel safety 7 6.1 Job setting and human resource security 7 6.2 User Training 8 6.3 Response to safety incidents and failures 8 7 Physical and environmental security 9 7.1 Security Zone 9 7.2 Equipment Safety 11 7.3 General Control 13 8 Communication and Operation Management 13 8.1 Operating procedures and responsibilities 13 8.2 System Planning and Acceptance 16 8.3 Protection against malware 16 8.4 Housekeeping 17 8.5 Network Management 18 8.6 Media Disposal and Security 18 8.7 Exchange of information and software 19 9 access control 22 9.1 Business Requirements for Access Control 22 9.2 User Access Management 23 9.3 User Responsibilities 24 9.4 Network Access Control 25 9.5 Operating System Access Control 27 9.6 Application Access Control 29 9.7 Oversight of system access and use 30 9.8 Mobile Computing and Remote Work 31 10 System Development and Maintenance 32 10.1 System Security Requirements 32 10.2 Application System Security 33 10.3 Password Control 34 10.4 Security of System Files 36 10.5 Security for development and support processes 37 11 Business Continuity Management 38 11.1 Aspects of Business Continuity Management 38 12 Compliance 40 12.1 Compliance with legal requirements 40 12.2 Review of Security Policy and Technical Compliance 43 12.3 System Audit Consideration 43ForewordThis standard is modified to adopt ISO /IEC 17799.2000 "Practical Rules for Information Technology Information Security Management" (English version). This standard has been modified as appropriate. “a) the use of cryptographic algorithms and passwords approved by the competent national authorities has been added to 12.1.6. "", as a modification. This standard was proposed by the Ministry of Information Industry of the People's Republic of China This standard is under the jurisdiction of the National Information Security Standardization Technical Committee. This standard is owned by China Electronics Technology Standardization Institute, China Electronics Technology Group No. 30 Research Institute, and Shanghai Sanshi Guardian Information Security. The company, the 15th Research Institute of China Electronics Technology Group, and Beijing Sile Information Technology Co., Ltd. are responsible for drafting. The main drafters of this standard. Huang Jiaying, Lin Wangzhong, Wei Zhong, Lin Zhong, Wang Xinjie, Luo Fengying, Chen Xing.IntroductionWhat is information security? Like other important business assets, information is also an asset. It has value for an organization and therefore needs to be properly protected Protection. Information security prevents information from being threatened to ensure business continuity, minimize business damage, and return on investment and business The biggest opportunity. Information may exist in various forms. It can be printed or written on paper, stored electronically, sent by mail or electronically, presented Now on film or in words. Regardless of the form of the information or the method of storage or sharing, it should be properly protection. Information security is here to maintain the following characteristics. a) Confidentiality. Ensure that information is only accessible by authorized accessees; b) Integrity. the accuracy and completeness of the protection information and processing methods; c) Availability. Ensure that authorized users have access to information and related assets when needed. Information security is achieved by implementing a set of appropriate controls. Control can be policies, conventions, procedures, organizational structures, and software functions. These controls need to be established to ensure that the organization's specific security goals are met. Why do you need information security? Information and support processes, systems and networks are important business assets. Confidentiality, integrity and availability of information to maintain competitive advantage Potential, cash flow, profitability, compliance and business image may be essential. Organizations and their information systems and networks are increasingly facing security threats from all sides. These aspects include computer-assisted fraud, Espionage, vandalism, destruction, fire or flood. Such as computer viruses, computer hacking and denial of service attacks, already Become more common, more ambitious and increasingly high-tech. Dependence on information systems and services means that organizations are more vulnerable to security threats. Interconnection and information resources for public and private networks The sharing of sources increases the difficulty of implementing access control. The trend of distributed computing has weakened the effectiveness of centralized control. Many information systems are no longer simply designed to be safe, as the security available through technical means is limited. should Support with appropriate management and procedures. Identifying which controls are in place requires careful planning and attention to detail. Information security management needs at least For the participation of all employees within the organization, suppliers, consumers or stock holders may also be required to participate. Expert advice from outside organizations Can also be needed. If information security control is incorporated in the requirements specification and design phase, then this information security control will be more economical and More effective. How to establish security requirements The most important thing is that the organization identifies its security requirements. There are three main sources. The first source was obtained by assessing the risks of the organization. Identify threats to assets through risk assessment and evaluate vulnerable The vulnerability and threats appear to the potential and predict the potential impact of threats. The second source is the laws, regulations, rules, and contracts that organizations, trading partners, contractors, and service providers must meet. The third source is a specific set of specific principles, goals, and requirements for the organization to develop information processing that supports its operations. Assess security risks Safety requirements are identified by a systematic assessment of safety risks. Funding for control needs to be targeted for possible failures caused by safety The business damage is balanced. Risk assessment techniques can be applied to the entire organization or only to certain parts of the organization, if this is practical The line, reality and help, the technology also applies to individual information systems, specific system components or services. The risk assessment should systematically consider the following. a) business damage that may be caused by a security failure, taking into account the loss of confidentiality, integrity or availability of information or other assets Potential consequences b) From the most common threats and vulnerabilities and the controls currently implemented, there is a real possibility of such a failure. The results of the assessment will help guide and identify appropriate management actions, as well as manage information security risks and prioritize selected controls Level to prevent these risks. The process of assessing risk and selecting controls may need to be done many times to cover different departments or Information systems. It is important to periodically review security risks and implemented controls to. a) consider changes in business requirements and priorities; b) consider new threats and vulnerabilities; c) Verify that control remains valid and appropriate. The review based on the results of previous assessments should be conducted at different depth levels and at the level of change risk that management is prepared to accept. As a means of optimizing resources in high-risk areas, risk assessments are usually carried out at a high level and then at a finer level to Specific risks. Selection control Once the safety requirements have been identified, controls should be selected and implemented to ensure that the risk is reduced to an acceptable level. Control can be from this standard Choose from quasi or other control sets, or design new controls as appropriate to meet specific needs. There are many different ways to manage risk The law provides several examples of commonly used methods. However, it is important to recognize that some controls are not applicable to every information system or environment, and Not for all organizations. As an example, 8.1.4 describes how to divide responsibility to prevent fraud or error. In smaller organizations It is not possible to split all responsibilities in the middle, and other methods of obtaining the same control objectives may be necessary. As another example, 9.7 and 12.1 describes how to monitor system usage and how to collect evidence. The described controls, such as event records, may be in conflict with applicable laws Sudden, such as consumer or privacy protection in the workplace. Control should be based on implementation costs and potential losses associated with risk reduction (if security violations occur). Should also consider such as Loss of credibility and other non-monetary factors. Some of the controls in this standard can be considered guidelines for information security management and can be used in most organizations. Below in the title "Letter These controls are explained in more detail in "Safety Starting Point". Information security starting point Many controls can be considered as guiding principles for providing a good starting point for information security. They are based on important legal requirements Ask, or be considered the best practice commonly used for information security. From a legal point of view, important controls for an organization include. a) data protection and privacy of personal information (see 12.1.4); b) records of the protection organization (see 12.1.3); c) Intellectual property rights (see 12.1.2). Controls that are considered to be the best practices for information security include. a) Information Security Policy Document (see 3.1); b) allocation of information security responsibilities (see 4.1.3); c) information security education and training (see 6.2.1); d) report a security incident (see 6.3.1); e) Business continuity management (see 11.1). These controls apply to most organizations and environments. It should be noted that although all controls in this standard are important, from a group In view of the specific risks faced by the weaving, the relevance of any control should be determined. Therefore, although the above method is considered to be a good starting point, But it does not replace the choice of risk-based control. Key success factors Experience has shown that the following factors are often critical to an organization's success in achieving information security. a) reflect business objectives security policies, objectives and activities; b) a method of achieving security in accordance with organizational culture; c) visual support and commitment from management; d) Proper understanding of safety requirements, risk assessment and risk management; e) communicate effective security needs to all managers and employees; f) distribute guidance on information security policies and standards to all employees and contractors; g) provide appropriate training and education; h) There is an integrated and balanced measurement system that can be used to assess the implementation of information security management and feedback improvement recommendations. Develop your own guide This practical rule can be considered as the starting point for the specific guidance of the development organization. The guidance and controls in this practical rule are not all available. of. Moreover, additional controls not included in this standard may be required. It may be useful to keep cross-references when this happens, Cross-referencing facilitates compliance testing by auditors and business parties. Practical rules for information technology information security management1 ScopeThis standard provides recommendations for information security management for those responsible for the initiation, implementation or maintenance of security in their organization. This standard is open The organization’s safety standards and effective safety management practices provide a common foundation and provide trust in inter-organizational interactions. Within the recommendations of this standard It should be selected and used in accordance with applicable Chinese laws and regulations.2 Terms and definitionsThe following terms and definitions apply to this standard. 2.1 Maintain the confidentiality, integrity and availability of information. --- Confidentiality Make sure that the information is only accessible to people who are authorized to access it. ---Integrity The accuracy and completeness of protection information and processing methods. ---Availability Ensure that authorized users have access to information and related assets when needed. 2.2 Threats, impacts on information and information processing facilities, and the vulnerability of information and information processing facilities themselves and the likelihood of their emergence evaluation of. 2.3 Identify, control, and minimize (or eliminate) processes that may affect the security risks of the information system in relation to acceptable costs.3 Security Policy3.1 Information Security Policy Purpose. To provide management direction and support information security. Management should develop a clear strategic direction and demonstrate information security by issuing and maintaining an information security strategy throughout the organization. Full support and commitment. 3.1.1 Information Security Policy Document The strategy document is subject to management approval and is posted and communicated to all employees when appropriate. The policy document should state the management commitment and Propose the organization's management information security approach. At a minimum, the following guidelines should be included. a) the definition of information security, its overall goals and scope, and the importance of security under the information sharing permit mechanism (see Introduction); b) a description of management's intent to support the goals and principles of information security; c) A brief description of the security policies, principles, standards, and compliance requirements that are of particular importance to the organization, such as. ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 19716-2005_English be delivered?Answer: Upon your order, we will start to translate GB/T 19716-2005_English as soon as possible, and keep you informed of the progress. The lead time is typically 7 ~ 11 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 19716-2005_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 19716-2005_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
