10.1 10.2 10.3 BS7799/7800iso 27001CNS17799/CNS17800BS7799/780010.3100%

10.1///

10.1

(Confidentiality)(Integrity)(Availability)(Confidentiality) ()(Integrity)(hash function)(Availability) (real time)

10.1() - (Certificate Authority, CA) (Catastrophic)(Critical)(Marginal)(Negligible)

10.1(Information Security Management SystemISMS)ISMS 100%

ISO/IEC 17799 / BS 7799 1995BS7799 Part 11998BS7799 Part 21999New issue of BS7799 Part 1 & 22000BS7799 Part 1 ISO/IEC 17799:20002002New BS7799 Part 22005/6 : ISO/IEC 17799 : 20052005/10 : ISO/IEC 27001http://www.bsi-emea.com/InformationSecurity/Overview/index.xalter

10.1ISO/IEC 17799:2005 BS 7799-Part2:2002 ISO/IEC 17799 ISO/IEC 270011139133

CNS 17799 -CNS 17800 - CNS17799 CNS1780091125

http://www.bsmi.gov.tw/page/pagetype8.jsp?page=886&groupid=5

10.1ISO ISO 9000 27000 ISO 27000 ()ISO 27001 (BS 7799-2 )ISO 27002 (2007 ISO/IEC 17799 : 2005 2700217799 )ISO 27003 (Information security management system implementation guidance200810)ISO 27004 (Information security management metrics and measurements)ISO 27005 (BS 7799-3) ISMS Risk Management (2005/12)

http://www.bsi-emea.com/InformationSecurity/index.xalter

10.2 PDCA Plan ()Do ()Check ()Act ()

10.2

10.2

10.3 Outsource servicesTotal organizationArea covered by scope

(Information Assets) (Paper Documents)(Software Assets)(Physical Assets)(People)(Services)(Company Reputation)

10.3 (Risk Assessment)

(Risk Management)

= f(, , )

Step 1.

Step 2.

Step 3.

Step 4.

Step 5.

Step 6.

Step 7.

Step 8.

10.3 Step 2

Step 3

: :

10.3 (Information Assets) (Paper Documents) (Software Assets)bug

10.3

(Physical Assets)(People)(Services)

10.3 Step 4

Step 5

10.3 Step 6 v.s.

10.3 Step 7

> 50 to 100

> 10 to 50

1 to 10

Step 7

10.3 (Risk Mitigation Options)Risk Assumption To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level Risk AvoidanceTo avoid the risk by eliminating the risk cause and/or consequence Risk LimitationTo limit the risk by implementing controls that minimize the adverse impact of a threats exercising a vulnerabilityRisk PlanningTo manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controlsResearch and AcknowledgmentTo lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerabilityRisk TransferenceTo transfer the risk by using other options to compensate for the loss, such as purchasing insurance

10.3 Risk Mitigation Strategy

10.3 Approach for Control ImplementationAddress the greatest risksStrive for sufficient risk mitigation at the lowest costWith minimal impact on other mission capabilitiesControl CategoriesTechnical security controlsManagement security controlsOperational security controls

10.3 Technical Security ControlsSupportIdentificationCryptographic Key ManagementSecurity AdministrationSystem ProtectionsPreventAuthenticationAuthorizationAccess Control EnforcementNon-repudiationProtected CommunicationsTransaction Privacy

Detect and RecoverAuditIntrusion Detection and ContainmentProof of WholenessRestore Secure StateVirus Detection and Eradication

10.3 Management Security ControlsPreventiveAssign security responsibilityDevelop and maintain system security plansImplement personnel security controls, including separation of duties, least privilege, and user computer access registration and termination Conduct security awareness and technical trainingDetectionImplement personnel security controlsConduct periodic review of security controls , including personnel clearance, background investigations, rotation of duties Perform periodic system audits Conduct ongoing risk management to assess and mitigate riskAuthorize IT systems to address and accept residual riskRecoveryProvide continuity of support and develop, test, and maintain the continuity of operations plan to provide for business resumption and ensure continuity of operations during emergencies or disasters Establish an incident response capability to prepare for, recognize, report, and respond to the incident and return the IT system to operational status

10.3 Operational Security ControlsPreventive Operational Controls Control data media access and disposalLimit external data distributionControl software viruses Safeguard computing facilitySecure wiring closets that house hubs and cables Provide backup capabilityEstablish off-site storage procedures and security Protect laptops, personal computers (PC), workstations Protect IT assets from fire damageProvide emergency power sourceControl the humidity and temperature of the computing facilityDetection Operational Controls Provide physical securityEnsure environmental security

10.3 Residual Risk

10.3

BS7799/7800ISO27001PDCA

BSI Management Systems , http://www.bsi-emea.com/InformationSecurity/index.xalter.Information standard, http://www.informationstandards.com/resources_glossary.htm.RiskINFO, http://www.riskinfo.com/.http://www.bsmi.gov.tw/page/pagetype8.jsp?page=886&groupid=5ISChttp://www.isc.ntust.edu.tw/http://ics.stpi.org.tw/http://www.isecutech.com.tw/ http://www.rmst.org.tw/