shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. 关于所有任用的候选者的背景验证核查应按照相关法律法规、道德规范 和对应的业务要求、被访问信息的类别和察觉的风险来执行。 A.7.1.2 Terms and conditions of employment 任用条款和条件 The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security. 与员工和承包商的合同协议应规定他们和组织的信息安全责任。 A.7.2 During employment 任用中 Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities. 目标:确保所有的雇员和合同方意识到并履行其信息安全责任。 A.7.2.1 Management responsibilities 管理职责 Management shall require all employees and external party users to apply security in accordance with established policies and procedures of the organization. 管理者宜要求所有雇员和外部用户按照组织已建立的方针策略和规程 对安全尽心尽力。 A.7.2.2 Information security awareness, education and training 信息安全意识、教育 和培训 All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. 组织的所有雇员,适当时,包括合同方,应受到与其工作职能相关的适 当的意识教育、培训和组织方针策略及规程的定期更新培训。 There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. 宜有一个正式并已传达的纪律处理过程,以对于安全违规的雇员进行处 理。 A.7.2.3 Disciplinary process 纪律处理过程 A.7.3 Termination and change of employment 任用的终止或变化 Objective: To protect the organization’s interests as part of the process of changing or terminating employment.
目标:宜将保护组织的利益融入到任用变化或终止的处理流程中。 A.7.3.1 Termination or change of employment responsibilities 任用终止或变化的职 责 Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or external party user and enforced. 任用终止或变化后仍然有效的信息安全责任和义务应被定义,并向雇员 与第三方人员进行传达与执行。 A.8 Asset management 资产管理 A.8.1 Responsibility for assets 对资产负责 Objective: To achieve and maintain appropriate protection of organizational assets. 目标:实现和保持对组织资产的适当保护。 A.8.1.1 Inventory of assets 资产清单 Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. 宜识别信息和信息处理设施相关的资产,编制并维护这些资产的清单。 A.8.1.2 Ownership of assets 资产责任人 Assets maintained in the inventory shall be owned. 资产清单中维护的信息资产宜指定责任人。 Rules for the acceptable use of information and assets associated with information and information processing facilities shall be identified, documented and implemented. 信息与信息及信息处理设施有关的资产可接受使用规则应被确定、形成 文件并加以实施。 A.8.1.3 Acceptable use of assets 资产的可接受使用 A.8.1.4 Return of assets 资产的归还 All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. 所有的雇员、承包方人员和第三方人员在终止任用、合同或协议时,应 归还他们使用的所有组织资产。 A.8.2 Information classification 信息分类 Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. 目标:确保信息受到与其对组织的重要性保持一致适当级别的保护。 A.8.2.1 Classification of information 信息的分类 Information shall be classified in terms of legal requirements value, criticality and sensitivity to unauthorized disclosure or modification. 信息应按照它对组织的价值、法律要求、敏感性和关键性予以分类,以 保护信息免受未授权泄露或篡改。。 A.8.2.2 Labeling of information 信息标记 An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. 应按照组织所采纳的分类机制建立和实施一组适合的信息标记规程。 A.8.2.3 Procedures for handling assets shall be developed and implemented Handling of assets 资 in accordance with the information classification scheme adopted by 产处理 the organization. 应按照组织所采纳的分类机制建立和实施一组适合的信息处理规程。 A.8.3 Media handling 介质处置 Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. 目标:防止存储在介质上的信息遭受未授权泄露、修改、移动或销毁。 A.8.3.1 Management of removable media 可 移动介质的管理 Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. 应根据组织所采用的分类方案来实施可移动介质管理程序。 A.8.3.2 Media shall be disposed of securely when no longer required, using Disposal of media 介 formal procedures. 质的处置 不再需要的介质,应使用正式的程序安全地处置。 A.8.3.3 Physical media transfer 物理介质传输 Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. 包含信息的介质在运送时,应防止未授权的访问、不当使用或损坏。 A.9 Access control 访问控制 A.9.1 Business requirements of access control 访问控制的业务要求 Objective: To restrict access to information and information processing facilities.
目标:限制信息与信息处理设施的访问 A.9.1.1 An access control policy shall be established, documented and Access control policy reviewed based on business and security requirements. 访问控制策略 访问控制策略应建立、形成文件,并基于业务和安全要求进行评审。 A.9.1.2 Policy on the use of network services 使用网络服务的策略 Users shall only be provided with access to the network and network services that they have been specifically authorized to use. 用户应只能访问已获专门授权使用的网络和网络服务服务。 A.9.2 User access management 用户访问管理 Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. 目标:确保授权用户访问系统和服务,并防止未授权的访问。 A.9.2.1 User registration and A formal user registration and de-registration process shall be de-registration 用户implemented to enable assignment of access rights. 注册和注销 应实施正式的用户注册及注销流程来分配访问权限。 A.9.2.2 User access provisioning 用户访问提供 A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. 无论什么类型的用户,在对其分配或撤销所有系统和服务的权限时,都 应实施一个正式的用户访问提供流程. A.9.2.3 Management of privileged access rights 特殊权限管理 Management of secret authentication information of users 用户安全鉴别信息的 管理 Review of user access rights 用户访问权的复查 Removal or adjustment of access rights 撤销或调整访问权限 The allocation and use of privileged access rights shall be restricted and controlled. 应限制和控制特殊访问权限的分配及使用。 A.9.2.4 The allocation of secret authentication information shall be controlled through a formal management process. 应通过一个正式的管理过程对安全鉴别信息的分配进行控制。 A.9.2.5 Asset owners shall review users’ access rights at regular intervals. 资产所有者应定期对用户的访问权进行复查。 A.9.2.6 The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. 所有雇员和第三方人员对信息和信息处理设施的访问权应在任用、合同 或协议终止时删除,或在变化时调整。 A.9.3 User responsibilities 用户职责 Objective: To make users accountable for safeguarding their authentication information. 目标:确保用户对保护他们的鉴别信息负有责任。 A.9.3.1 Use of secret authentication information 安全鉴别信息的使用 Users shall be required to follow the organization’s security practices in the use of secret authentication information. 应要求用户遵循组织的安全防护措施来使用安全鉴别信息。 A.9.4 System and application access control 系统和应用访问控制 Objective: To prevent unauthorized access to systems and applications. 目标:防止对系统和应用的非授权访问。 A.9.4.1 Information access restriction 信息访问限制 Access to information and application system functions shall be restricted in accordance with the access control policy. 信息和应用系统功能的访问应依照访问控制策略加以限制。 A.9.4.2 Secure log-on procedures 安全登陆规程 Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. 访问控制策略要求时,访问系统和应用应通过安全登录规程加以控制。 A.9.4.3 Password Passwords management systems shall be interactive and shall management system ensure quality passwords. 口令管理系统 口令管理系统应是交互式的,并应确保优质的口令。 A.9.4.4 Use of privileged utility programs 特权使用程序的使用 The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. 对于能超越系统和应用程序控制措施的实用工具的使用应加以限制并 严格控制。 A.9.4.5 Access control to program source Access to program source code shall be restricted. code 对程序源代码的访问 应限制访问程序源代码。 控制