欢迎来到麦多课文档分享! | 帮助中心 海量文档,免费浏览,给你所需,享你所想!
麦多课文档分享
全部分类
  • 标准规范>
  • 教学课件>
  • 考试资料>
  • 办公文档>
  • 学术论文>
  • 行业资料>
  • 易语言源码>
  • ImageVerifierCode 换一换
    首页 麦多课文档分享 > 资源分类 > PDF文档下载
    分享到微信 分享到微博 分享到QQ空间

    BS ISO IEC 27034-2-2015 Information technology Security techniques Application security Organization normative framework《信息技术 安全技术 应用程序安全 组织规范框架》.pdf

    • 资源ID:396691       资源大小:3.99MB        全文页数:64页
    • 资源格式: PDF        下载积分:10000积分
    快捷下载 游客一键下载
    账号登录下载
    微信登录下载
    二维码
    微信扫一扫登录
    下载资源需要10000积分(如需开发票,请勿充值!)
    邮箱/手机:
    温馨提示:
    如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
    如需开发票,请勿充值!如填写123,账号就是123,密码也是123。
    支付方式: 支付宝扫码支付    微信扫码支付   
    验证码:   换一换

    加入VIP,交流精品资源
     
    账号:
    密码:
    验证码:   换一换
      忘记密码?
        
    友情提示
    2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
    3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
    4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。
    5、试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。

    BS ISO IEC 27034-2-2015 Information technology Security techniques Application security Organization normative framework《信息技术 安全技术 应用程序安全 组织规范框架》.pdf

    1、BSI Standards Publication BS ISO/IEC 27034-2:2015 Information technology Security techniques Application security Part 2: Organization normative frameworkBS ISO/IEC 27034-2:2015 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 27034-2:2015. The UK particip

    2、ation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are respon

    3、sible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 69907 8 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standa

    4、rds Policy and Strategy Committee on 31 August 2015. Amendments issued since publication Date Text affectedBS ISO/IEC 27034-2:2015 Information technology Security techniques Application security Part 2: Organization normative framework Technologie de linformation Scurit des applications Partie 2: Ca

    5、dre normatif de lorganisation INTERNATIONAL STANDARD ISO/IEC 27034-2 Reference number ISO/IEC 27034-2:2015(E) First edition 2015-08-15 ISO/IEC 2015 BS ISO/IEC 27034-2:2015ii ISO/IEC 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015, Published in Switzerland All rights reserved. Unle

    6、ss otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the a

    7、ddress below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 27034-2:2015(E)BS ISO/IEC 27034-2:2015ISO/IEC 27034-2:2015(E)Foreword

    8、 iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Abbreviated terms 1 5 Organization Normative Framework 2 5.1 General . 2 5.2 Purpose 2 5.3 Principles . 2 5.4 ONF Management Process 2 5.4.1 General 2 5.4.2 Use of RACI charts in description of activities, roles a

    9、nd responsibilities . 4 5.4.3 Establishing the ONF committee 5 5.4.4 Designing the ONF 6 5.4.5 Implementing the ONF . 8 5.4.6 Monitoring and reviewing the ONF 10 5.4.7 Improving the ONF . .11 5.4.8 Auditing the ONF 13 5.5 ONF Elements15 5.5.1 General.15 5.5.2 Business context component .16 5.5.3 Reg

    10、ulatory context component 17 5.5.4 Technological context component .18 5.5.5 Application specifications repository .19 5.5.6 Roles, responsibilities and qualifications repository 20 5.5.7 Organization ASC Library 21 5.5.8 Application Security Control 23 5.5.9 Application Security Life Cycle Referenc

    11、e Model .26 5.5.10 Application Security Life Cycle Model 32 5.5.11 Application Security Management Process .33 5.5.12 Application Security Risk Analysis Process .34 5.5.13 Application Security Verification Process .36 Annex A (informative) Aligning the ONF and ASMP with ISO/IEC 15288 and ISO/IEC 122

    12、07 through ISO/IEC 15026-4 .38 Annex B (informative) ONF implementation example: implementing ISO/IEC 27034 Application Security and its ONF in an existing organization 42 Bibliography .52 ISO/IEC 2015 All rights reserved iii Contents PageBS ISO/IEC 27034-2:2015ISO/IEC 27034-2:2015(E) Foreword ISO (

    13、the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees

    14、 established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.

    15、In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria

    16、needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent r

    17、ights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name

    18、used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical

    19、 Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Security techniques. ISO/IEC 27034 consists of the following parts, under the general title Information techn

    20、ology Security techniques Application security: Part 1: Overview and concepts Part 2: Organization normative framework The following parts are under preparation: Part 3: Application security management process Part 4: Application security validation Part 5: Protocols and application security control

    21、 data structure Part 6: Security guidance for specific applications Part 7: Application security assurance predictioniv ISO/IEC 2015 All rights reservedBS ISO/IEC 27034-2:2015ISO/IEC 27034-2:2015(E) Introduction General Organizations must protect their information and technological infrastructures i

    22、n order to stay in business. There is an increasing need for organizations to focus on protecting their information at the application level. A systematic approach towards improving application security provides an organization with evidence that information being used or stored by its applications

    23、is being adequately protected. ISO/IEC 27034 provides concepts, principles, frameworks, components and processes to assist organizations in integrating security seamlessly throughout the life cycle of their applications. The Organization Normative Framework (ONF) is the most important of those compo

    24、nents. The ONF is an organization-wide framework where all application security best practices recognized by the organization are stored. It comprises essential components, processes that utilize these components, and processes for managing the ONF itself. It is the foundation of application securit

    25、y in the organization and all the organizations future application security decisions should be made by referring to this framework. The ONF is the authoritative source for all components and processes related to application security in the organization. This part of ISO/IEC 27034 defines the proces

    26、ses required to manage the security of applications in the organization. These processes are presented in 5.4. It also introduces security-related elements of applications (processes, roles and components) that should be integrated into the ONF. These elements are presented in 5.5. Finally, this par

    27、t of ISO/IEC 27034 presents the Auditing the ONF process, needed by an organization for verifying its ONF and verifying compliance of all applications with the requirements and controls in the ONF. This process is presented in 5.4.8. Purpose The purpose of this part of ISO/IEC 27034 is to assist org

    28、anizations to create, maintain and validate their own ONF in compliance with the requirements of this International Standard. This part of ISO/IEC 27034 is designed to enable an organization to align or integrate its ONF with the organizations enterprise architecture and/or the organizations informa

    29、tion security management system requirements. However, implementing an information security management system as described in ISO/IEC 27001 is not a requirement for the implementation of this International Standard. Targeted Audiences General The following audiences will find value and benefits when

    30、 carrying their designated organizational roles: a) managers; b) ONF committee; c) domain experts; d) auditors. Managers Managers should read this International Standard because they are responsible for the following: a) improving application security through the ONF and other aspects of ISO/IEC 270

    31、34; b) ensuring the ONF stays aligned with the organizations information security management system and application security needs; ISO/IEC 2015 All rights reserved vBS ISO/IEC 27034-2:2015ISO/IEC 27034-2:2015(E) c) leading the establishment of the ONF in the organization; d) ensuring the ONF is ava

    32、ilable, communicated and used in application projects with proper tools and procedures all across the organization; e) determining the appropriate level(s) of management that the ONF Committee reports to. ONF Committee The ONF Committee is responsible for managing the implementation and maintenance

    33、of the application-security-related components and processes in the Organization Normative Framework. The ONF Committee needs to a) manage the cost of implementing and maintaining the ONF, b) determine what components and processes should be implemented in the ONF, c) make sure introduced components

    34、 and processes respect the organizations priorities for security requirements, d) review auditor reports for acceptance or rejection that the ONF conforms to this International Standard and meets the organizations requirements, e) provide processes and tools for managing compliance with standards, l

    35、aws and regulations according to the regulatory context of the organization, f) communicate security awareness, training and oversight to all actors, and g) promote compliance with the ONF for all application projects throughout the organization. ONF development team Experts who have been assigned b

    36、y the ONF Committee with the task of developing and implementing one or more ONF element(s), who need to a) develop and implement a designed ONF element, b) determine training in the use of ONF elements by its different actors, and c) collaborate in providing adequate training to actors. Domain expe

    37、rts Provisioning, operation, acquisition and audit experts who need to a) participate in ONF implementation and maintenance, b) validate that the ONF is useable and useful in the course of an application project, and c) propose new components and processes. Auditors Auditors are personnel performing

    38、 roles in the audit processes, who need to participate in ONF validation and verification. NOTE Auditors may be external or internal to the organization, depending on the target and circumstances of the audit, and according to the organizations audit policies and conformance requirements.vi ISO/IEC

    39、2015 All rights reservedBS ISO/IEC 27034-2:2015INTERNATIONAL ST ANDARD ISO/IEC 27034-2:2015(E) Information technology Security techniques Application security Part 2: Organization normative framework 1 Scope This part of ISO/IEC 27034 provides a detailed description of the Organization Normative Fra

    40、mework and provides guidance to organizations for its implementation. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated referenc

    41、es, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, Information technology Security Techniques Information security management systems Overview and vocabulary ISO/IEC 27005, Information technology Security techniques Information security risk manageme

    42、nt ISO/IEC 27034-1:2011, Information technology Security techniques Application security Part 1: Overview and concepts NOTE Additional detail about the relationship between ISO/IEC 27034 and other standards is available in ISO/IEC 27034-1:2011, 0.5. 3 T erms a nd definiti ons For the purposes of thi

    43、s document, the terms and definitions given in ISO/IEC 27034-1, ISO/IEC 27000, and ISO/IEC 27005 apply. 4 Abbreviated terms ASLC Application Security Life Cycle ASLCRM Application Security Life Cycle Reference Model ANF Application Normative Framework ASC Application Security Control ASMP Applicatio

    44、n Security Management Process ONF Organization Normative Framework ISO/IEC 2015 All rights reserved 1BS ISO/IEC 27034-2:2015ISO/IEC 27034-2:2015(E) 5 Organization Normative Framework 5.1 General An organizations normative framework is the sum of all regulations, policies, practices, roles and tools

    45、used by the organization. Every organization should already have a normative framework, more or less formally documented. The Organization Normative Framework (ONF) concept described in this International Standard is an organization-wide framework containing a subset of the organizations processes a

    46、nd components that are relevant to application security and are normative inside the organization. Although an informal ONF is a first step towards securing the organizations applications, this International Standard recommends a formalized and standardized ONF, as described in this International St

    47、andard. 5.2 Purpose The purpose of implementing the ONF is to: a) assign responsibility for application security and establish a process that can evolve to improve application security visibility; b) ensure all elements (components, roles and processes) involved in application security are approved

    48、by the appropriate decision-makers and accepted by all relevant actors and stakeholders; c) minimize resistance to changes brought by these new application security elements; d) standardize application security elements to ensure a uniform implementation and verification throughout the organization;

    49、 e) help the organization to improve its maturity level (as defined in ISO/IEC 15504 and other standards such as SEI/CMMI) by formalizing and revising all application security elements to keep them up to date with the organizations evolving environment; and f) establish mechanisms to ensure that an appropriate level of security can be achieved in a cost- effective manner, for example, through reusing existing approved application security elements. 5.3 P


    注意事项

    本文(BS ISO IEC 27034-2-2015 Information technology Security techniques Application security Organization normative framework《信息技术 安全技术 应用程序安全 组织规范框架》.pdf)为本站会员(ideacase155)主动上传,麦多课文档分享仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文档分享(点击联系客服),我们立即给予删除!




    关于我们 - 网站声明 - 网站地图 - 资源地图 - 友情链接 - 网站客服 - 联系我们

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1 

    收起
    展开