A.10 Cryptography 密码学 A.10.1 Cryptographic controls 密码控制 Objective: To ensure proper and effective use of cryptography to protect the confidentiality authenticity or integrity of information. 目标:确保适当并有效的密码的使用来保护信息的保密性、真实性或完整性。 Policy on the use of cryptographic A.10.1.1 controls 使用密码控制的策略 A policy on the use of cryptographic controls for protection of information shall be developed and implemented. 应开发和实施使用密码控制措施来保护信息的策略。 A policy on the use, protection and lifetime of cryptographic keys shall Key management 密 be developed and implemented through their whole lifecycle. A.10.1.2 钥管理 应开发和实施一个贯穿生命周期的密码密钥使用、保护和生命期管理策 略。 A.11 Physical and environmental security 物理和环境安全 A.11.1 Secure areas 安全区域 Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. 目标:防止对组织信息和信息处理设施的未授权物理访问、损坏和干扰。 Physical security A.11.1.1 perimeter 物理安全周边 Security perimeters shall be defined and used to protect areas that contain either sensitive or or critical information and information processing facilities. 应定义并使用安全周边来保护包含任何敏感或关键的信息和信息处理 设施的区域。 Physical entry A.11.1.2 controls 物理入口控制 Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. 安全区域应由适合的入口控制所保护,以确保只有授权的人员才允许访 问。 Securing office, Physical security for offices, rooms and facilities shall be designed A.11.1.3 room and facilities and applied. 办公室、房间和设施 的安全保护 Protecting against external end environmental A.11.1.4 threats 外部和环境威胁的安 全防护 Working in secure A.11.1.5 areas 在安全区域工作 应为办公室、房间和设施设计并采取物理安全措施。 Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. 为防止自然灾害,恶意攻击或以外事件引起的破坏,应设计和采取物理 保护措施。 Procedures for working in secure areas shall be designed and applied 应设计和应用在安全区域工作的规程。 Delivery and loading A.11.1.6 areas 交接区 Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. 访问点(例如交接区)和未授权人员可进入办公场所的其他地点应加以 控制,如果可能,应与信息处理设施隔离,以避免未授权访问。 A.11.2 Equipment 设备安全 Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. 目标:防止资产的丢失、损坏、失窃或危及资产安全以及组织的运营。 Equipment shall be sited and protected to reduce the risks from Equipment siting and environmental threats and hazards,and opportunities for unauthorized A.11.2.1 protection 设备安置access. 和保护 应安置或保护设备,以减少由环境威胁和危险所造成的各种风险以及未 授权访问的机会。 Equipment shall be protected from power failures and other Supporting utilities 支 disruptions caused by failures in supporting utilities. A.11.2.2 持性设施 应保护设备使其免于由支持性设施的失败而引起的电源故障和其他中 断。 A.11.2.3 Cabling security 布缆安全 Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. 应保证传输数据或支持信息服务的电源布缆和通信布缆免受窃听、干扰 或损坏。 A.11.2.4 Equipment Equipment shall be correctly maintained to ensure its continued maintenance 设备维护 availability and integrity. 设备应予以正确地维护,以确保其持续的可用性和完整性。 Equipment, information or software shall not be taken off-site without Removal of assets 资 A.11.2.5 prior authorization. 产的移动 设备、信息或软件在授权之前不应带出组织场所。 Security of equipment and A.11.2.6 assets off-premises 组织场所外的设备和 资产安全 Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. 应对组织场所的设备采取安全措施,要考虑工作在组织场所以外的不同 风险。 All items of equipment containing storage media shall be verified to Secure disposal or ensure that any sensitive data and licensed software has been re-use of equipment A.11.2.7 removed or securely overwritten prior to disposal or re-use. 设备的安全处置或再 包含存储介质的设备的所有项目应进行验证,以确保在处置之前,任何 利用 敏感信息和注册软件已被删除或安全地写覆盖。 Unattended user A.11.2.8 equipment 无人值守的用户设备 Users shall ensure that unattended equipment has appropriate protection. 用户应确保无人职守的用户设备有适当的保护。 A clear desk policy for papers and removable storage media and a Clear desk and clear clear screen policy for information processing facilities shall be A.11.2.9 screen policy 清空桌adopted. 面和屏幕策略 应采取清空桌面上文件、可移动存储介质的策略和清空信息处理设施屏 幕的策略。 A.12 Operations security 操作安全 A.12.1 Operational procedures and responsibilities 操作程序和职责 Objective: To ensure correct and secure operations of information processing facilities. 目标:确保正确、安全的操作信息处理设施。 Documented operating A.12.1.1 procedures 文件化的操作程序 Operating procedures shall be documented and made available to all users who need them. 操作程序应形成文件并对所有需要的用户可用。 Change A.12.1.2 management Changes to the organization, business processes, information 变更管理 processing facilities and systems shall be controlled. that affect information security 对组织、业务流程、信息处理设施和系统中影响信息安全方面的变更应 加以控制。 Capacity A.12.1.3 management 容量管理 The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. 资源的使用应加以监视、调整,并作出对于未来容量要求的预测,以确 保拥有所需的系统性能。 Separation of Development, testing, and operational environments shall be development, testing separated to reduce the risks of unauthorized access or changes to and operational A.12.1.4 the operational environment. environments 开发、测试和运行设 开发、测试和运行环境应分离,以减少未授权访问或改变运行系统的风 险。 施分离 A12.2 Protection from malware 防范恶意软件 Objective: To ensure that information and information processing facilities are protected against malware. 目标:确保对信息和信息处理设施的保护,防止恶意软件。 Controls against A.12.2.1 malware 控制恶意软件 Detection, prevention and recovery controls to protect against malware shall be implemented,combined with appropriate user awareness. 应结合适当的用户意识实施恶意软件的检测、预防和恢复的控制措施。 A.12.3 Backup 备份 Objective: To protect against loss of data. 目标:防止数据丢失 A.12.3.1 Information backup 信息备份 Backup copies of information, software and system images shall be taken and tested regularly in accordance with the agreed backup policy. 应按照已设的备份策略,定期备份和测试信息、软件和系统镜像。 A.12.4 Logging and monitoring 日志记录和监视
Objective: To record events and generate evidence. 目标:记录事件并生成证据 A.12.4.1 Event logging 事件日志 Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. 应产生并保持记录用户活动、异常情况、故障和信息安全事态的审计日 志,并定期对事件日志进行评审。 Protection of log A.12.4.2 information 日志信息的保护 Logging facilities and log information shall be protected against tampering and unauthorized access 记录日志的设施和日志信息应加以保护,以防止篡改和未授权的访问。 Administrator and A.12.4.3 operator logs 管理员和操作员日志 System administrator and system operator activities shall be logged, protected and regularly reviewed. 系统管理员和系统操作员活动应记入日志,并对其进行保护和定期评 审。 The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to single reference time source. 一个组织或安全域内的所有相关信息处理设施的时钟应使用单一基准 时间源进行同步。 Clock A.12.4.4 synchronisaton 时钟同步 A.12.5 Control of operational software 运行软件的控制 Objective: To ensure the integrity of operational systems. 目标:确保运行系统的完整性 Installation of Procedures shall be implemented to control the installation of software on software on operational systems. A.12.5.1 operational systems 应有规程来控制在运行系统上安装软件。 运行系统软件安装 A.12.6 Technical vulnerability management 技术脆弱性管理 Objective: To prevent exploitation of technical vulnerabilities. 目标:防止技术脆弱性被利用 Management of technical A.12.6.1 vulnerabilities 技术脆弱性管理 Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures