ly thuyet thuyet trinh
Post on 18-Nov-2015
Embed Size (px)
Table of Contents12 Operations security112.1 Operational procedures and responsibilities112.1.1 Documented operating procedures19. Qun l truyn thng v vn hnh19.1. Cc trch nhim v th tc vn hnh19.1.1. Cc th tc vn hnh c ghi thnh vn bn212.1.2 Change management29.1.2. Qun l thay i312.1.3 Capacity management49.3.1. Qun l nng lc h thng412.1.4 Separation of development, testing and operational environments59.1.4. Phn tch cc chc nng pht trin, kim th v vn hnh612.2 Protection from malware712.2.1 Controls against malware79.4. Bo v chng li m c hi v m di ng89.4.1. Qun l chng li m c hi812.3 Backup1012.3.1 Information backup109.5. Sao lu119.5.1. Sao lu thng tin1112.4 Logging and monitoring1212.4.1 Event logging129.10. Gim st129.10.1. Ghi nht k nh gi1312.4.2 Protection of log information139.10.3. Bo v cc thng tin nht k1412.4.3 Administrator and operator logs149.10.4. Nht k ca ngi iu hnh v ngi qun tr1512.4.4 Clock synchronisation159.10.6. ng b thi gian1612.5 Control of operational software1612.5.1 Installation of software on operational systems1611.4.1. Qun l cc phn mm iu hnh1712.6 Technical vulnerability management1812.6.1 Management of technical vulnerabilities1811.6.1. Qun l cc im yu v k thut2012.6.2 Restrictions on software installation2112.7 Information systems audit considerations2112.7.1 Information systems audit controls2113 Communications security2313.1 Network security management2313.1.1 Network controls2313.1.2 Security of network services2413.1.3 Segregation in networks2410.4.5. Phn tch trn mng2513.2 Information transfer2613.2.1 Information transfer policies and procedures269.8. Trao i thng tin279.8.1. Cc chnh sch v th tc trao i thng tin2713.2.2 Agreements on information transfer2913.2.3 Electronic messaging309.8.4. Thng ip in t31
12 Operations security12.1 Operational procedures and responsibilitiesObjective: To ensure correct and secure operations of information processing facilities.12.1.1 Documented operating proceduresControlOperating procedures should be documented and made available to all users who need them.Implementation guidanceDocumented procedures should be prepared for operational activities associated with informationprocessing and communication facilities, such as computer start-up and close-down procedures, backup, equipment maintenance, media handling, computer room and mail handling management and safety.The operating procedures should specify the operational instructions, including:a) the installation and configuration of systems;b) processing and handling of information both automated and manual;c) backup (see 12.3);d) scheduling requirements, including interdependencies with other systems, earliest job start andlatest job completion times;e) instructions for handling errors or other exceptional conditions, which might arise during jobexecution, including restrictions on the use of system utilities (see 9.4.4);f) support and escalation contacts including external support contacts in the event of unexpectedoperational or technical difficulties;g) special output and media handling instructions, such as the use of special stationery or themanagement of confidential output including procedures for secure disposal of output from failedjobs (see 8.3 and 11.2.7);h) system restart and recovery procedures for use in the event of system failure;i) the management of audit-trail and system log information (see 12.4);j) monitoring procedures.Operating procedures and the documented procedures for system activities should be treated as formal documents and changes authorized by management. Where technically feasible, information systems should be managed consistently, using the same procedures, tools and utilities.9. Qun l truyn thng v vn hnh9.1. Cc trch nhim v th tc vn hnhMc tiu: Nhm m bo s vn hnh cc phng tin x l thng tin ng n v an ton.Cn thit lp cc trch nhim v th tc qun l v vn hnh cho tt c cc phng tin x l thng tin. Bao gm c vic xy dng cc th tc vn hnh ph hp.Nu ph hp th cn trin khai phn nh cc nhim v nhm gim ri ro do s dng cu th hoc lm dng h thng mt cch c ch .
9.1.1. Cc th tc vn hnh c ghi thnh vn bnBin php qun lCc th tc vn hnh cn c ghi thnh vn bn, duy tr, v lun sn sng i vi mi ngi cn dng n.Hng dn trin khaiCn chun b cc vn bn th tc cho cc hot ng h thng c lin quan n cc thit b trao i v x l thng tin, v d cc th tc khi ng v tt my tnh, sao lu, bo dng thit b, iu khin thit b, qun l phng my tnh v x l th t, v vn an ton.Cc th tc vn hnh cn a ra cc hng dn thc hin chi tit tng cng vic gm:a) x l v qun l thng tinb) sao lu (xem 9.5.1);c) cc yu cu v thi gian biu, bao hm c s ph thuc vi cc h thng khc, cc thi im bt u cng vic sm nht v cc thi im kt thc cng vic mun nht;d) cc hng dn x l cc s c hoc cc iu kin ngoi l khc, nhng vn ny c th xut hin trong khi thc hin cng vic, bao gm c cc gii hn s dng cc tin ch ca h thng (xem 10.5.4);e) h tr lin lc trong cc trng hp c tr ngi khng mong mun v vn hnh hoc k thut;f) cc hng dn x l thit b v d liu u ra c bit, nh s dng dng vn phng c bit hoc qun l d liu u ra bo mt bao gm cc th tc loi b mt cch an ton d liu u ra t cc cng vic b li (xem 9.7.2 v 9.7.3);g) cc th tc khi ng v khi phc h thng trong trng hp c li h thng;h) qun l truy vt v thng tin nht k ca h thng (xem 9.10).Cc th tc khai thc v cc vn bn th tc cho cc hot ng ca h thng cn c coi nh cc vn bn chnh thc v c cp php thay i bi ban qun l. Nu iu kin k thut cho php th cc h thng thng tin cn c qun l lin tc bng cc th tc, cng c v cc tin ch nht qun.12.1.2 Change managementControlChanges to the organization, business processes, information processing facilities and systems thataffect information security should be controlled.Implementation guidanceIn particular, the following items should be considered:a) identification and recording of significant changes;b) planning and testing of changes;c) assessment of the potential impacts, including information security impacts, of such changes;d) formal approval procedure for proposed changes;e) verification that information security requirements have been met;f) communication of change details to all relevant persons;g) fall-back procedures, including procedures and responsibilities for aborting and recovering fromunsuccessful changes and unforeseen events;h) provision of an emergency change process to enable quick and controlled implementation of changesneeded to resolve an incident (see 16.1).Formal management responsibilities and procedures should be in place to ensure satisfactory control ofall changes. When changes are made, an audit log containing all relevant information should be retained.Other informationInadequate control of changes to information processing facilities and systems is a common cause of system or security failures. Changes to the operational environment, especially when transferring a system from development to operational stage, can impact on the reliability of applications (see 14.2.2).9.1.2. Qun l thay i Bin php qun lCc thay i trong cc phng tin v h thng x l thng tin phi c kim sot.Hng dn trin khaiCn qun l cht ch cc thay i i vi phn mm ng dng v cc h thng vn hnh.C th l, nhng vn sau cn c quan tm:a) Xc nh v ghi li nhng thay i quan trng;b) Lp k hoch v kim tra nhng thay i;c) nh gi nhng nh hng tim n, bao gm nhng nh hng v an ton ca nhng thay i ;d) Th tc chp nhn chnh thc i vi nhng thay i c pht hin;e) Thng bo chi tit v cc thay i cho tt c nhng ngi lin quan;f) Cc th tc phc hi li h thng trc thay i, bao gm cc th tc v trch nhim i vi vic hy b v khi phc d liu t nhng thay i khng thnh cng v cc s kin bt ng xy ra.Cc th tc v trch nhim qun l chnh thc cn c t ra nhm m bo qun l tha ng tt c nhng thay i i vi thit b, phn mm hoc cc th tc. Khi nhng thay i c thc hin th cn lu li nht k nh gi cha tt c cc thng tin lin quan.Thng tin khcVic qun l nhng thay i ca cc phng tin x l thng tin khng thch hp l nguyn nhn ph bin dn n cc s c i vi h thng v an ton thng tin. Nhng thay i v mi trng khai thc, c bit l khi chuyn mt h thng t giai on pht trin sang giai on khai thc, c th nh hng n tin cy ca cc ng dng (xem thm 11.5.1).Ch c thc thi nhng thay i i vi cc h iu hnh khi c l do nghip v hp l, chng hn khi c s gia tng ri ro i vi h thng. Vic nng cp cc h thng bng cc phin bn h iu hnh hoc ng dng mi nht thng khng hay c quan tm v c th gy ra nhng nguy him v s mt n nh hn so vi phin bn hin ti. Vic nng cp cc phin bn phn mm c th cng lm pht sinh thm cc yu cu v o to, cc chi ph cho vic ng k, chi ph cho h tr, duy tr v qun l, v c bit l phn cng mi trong qu trnh chuyn phin bn.12.1.3 Capacity managementControlThe use of resources should be monitored, tuned and projections made of future capacity requirementsto ensure the required system performance.Implementation guidanceCapacity requirements should be identified, taking into account the business criticality of the concernedsystem. System tuning and monitoring should be applied to ensure and, where necessary, improve theavailability and efficiency of systems. Detective controls should be put in place to indicate problems indue time. Projections of future capacity requirements should take account of new business and systemrequirements and current and projected trends in the organizations information processing capabilities.Particular attention needs to be paid to any resources with long procurement lead times or high costs;therefore managers should monitor the utilization of key system resources. They should identify trendsin usage, particularly in relation to business applications or information systems management tools.Managers should use this information to identify and avoid potential bottlenecks and dependence onkey personnel that might present a threat to system security or services, and plan appropriate action.Providing sufficient capacity can be achieved by increasing capacity or by reducing demand. Examplesof managing capacity demand include:a) deletion of obsolete data (disk space);b) decommissioning of applications, systems, databases or environments;c) optimising batch processes and schedules;d) optimising application logic or database queries;e) denying or restricting bandwidth for resource-hungr