欢迎来到麦多课文档分享! | 帮助中心 海量文档,免费浏览,给你所需,享你所想!
麦多课文档分享
全部分类
  • 标准规范>
  • 教学课件>
  • 考试资料>
  • 办公文档>
  • 学术论文>
  • 行业资料>
  • 易语言源码>
  • ImageVerifierCode 换一换
    首页 麦多课文档分享 > 资源分类 > PDF文档下载
    分享到微信 分享到微博 分享到QQ空间

    BS ISO IEC 30111-2013 Information technology Security techniques Vulnerability handling processes《信息技术 安全技术 漏洞处理过程》.pdf

    • 资源ID:396817       资源大小:2MB        全文页数:24页
    • 资源格式: PDF        下载积分:5000积分
    快捷下载 游客一键下载
    账号登录下载
    微信登录下载
    二维码
    微信扫一扫登录
    下载资源需要5000积分(如需开发票,请勿充值!)
    邮箱/手机:
    温馨提示:
    如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
    如需开发票,请勿充值!如填写123,账号就是123,密码也是123。
    支付方式: 支付宝扫码支付    微信扫码支付   
    验证码:   换一换

    加入VIP,交流精品资源
     
    账号:
    密码:
    验证码:   换一换
      忘记密码?
        
    友情提示
    2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
    3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
    4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。
    5、试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。

    BS ISO IEC 30111-2013 Information technology Security techniques Vulnerability handling processes《信息技术 安全技术 漏洞处理过程》.pdf

    1、BSI Standards Publication BS ISO/IEC 30111:2013 Information technology Security techniques Vulnerability handling processesBS ISO/IEC 30111:2013 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 30111:2013. The UK participation in its preparation was entrus

    2、ted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.

    3、The British Standards Institution 2013. Published by BSI Standards Limited 2013 ISBN 978 0 580 75882 9 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee o

    4、n 31 October 2013. Amendments issued since publication Date Text affectedBS ISO/IEC 30111:2013 Information technology Security techniques Vulnerability handling processes Technologies de linformation Techniques de scurit Processus de traitement de la vulnrabilit ISO/IEC 2013 INTERNATIONAL STANDARD I

    5、SO/IEC 30111 First edition 2013-11-01 Reference number ISO/IEC 30111:2013(E)BS ISO/IEC 30111:2013ISO/IEC 30111:2013(E)ii ISO/IEC 2013 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utiliz

    6、ed otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright

    7、 office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in SwitzerlandBS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) ISO/IEC 2013 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative refe

    8、rences 1 3 T erms and definitions . 1 4 Abbreviated terms 2 5 Interface between ISO/IEC 29147 - Vulnerability disclosure and ISO/IEC 30111 - Vulnerability handling processes . 2 6 Policy and Organizational Framework for Vulnerability Handling Processes .3 6.1 General . 3 6.2 Vulnerability Handling P

    9、olicy Development . 4 6.3 Development of an Organizational Framework to Support the Vulnerability Handling Process . 4 6.4 Vendor CSIRT or PSIRT 5 6.5 Responsibilities of the Product Business Division . 6 6.6 Responsibilities of the Customer Support Division and Public Relation Division 6 6.7 Legal

    10、Consultation . 6 7 Vulnerability handling process . 7 7.1 Introduction to vulnerability handling phases 7 7.2 Vulnerability handling phases . 8 7.3 Monitoring of Vulnerability handling phases 10 7.4 Confidentiality of Vulnerability Information10 8 Supply chain vulnerability handling process 11 Bibli

    11、ography .12BS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the

    12、 development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-gov

    13、ernmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task

    14、 of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a v

    15、ote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 30111 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information techn

    16、ology, Subcommittee SC 27, Security techniques.iv ISO/IEC 2013 All rights reservedBS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) Introduction This International Standard describes processes for vendors to handle reports of potential vulnerabilities in products and online services. The audience for this

    17、standard includes consumers, developers, vendors, and evaluators of secure IT products. The following audiences may use this standard: developers and vendors, when responding to reported actual or potential vulnerabilities; evaluators, when assessing the security assurance afforded by vendors and de

    18、velopers vulnerability handling processes and the associated products and services; consumers, when selecting product and online service vendors to express best practice assurance requirements to developers, vendors and integrators. This International Standard is related to ISO/IEC 29147. 5It interf

    19、aces with elements described in ISO/IEC 29147 at the point of receiving potential vulnerability reports, and at the point of distributing vulnerability resolution information. This International Standard takes into consideration the relevant elements of ISO/IEC 15408-3, 113.5 Flaw remediation (ALC_F

    20、LR). ISO/IEC 2013 All rights reserved vBS ISO/IEC 30111:2013BS ISO/IEC 30111:2013Information technology Security techniques Vulnerability handling processes 1 Scope This International Standard gives guidelines for how to process and resolve potential vulnerability information in a product or online

    21、service. This International Standard is applicable to vendors involved in handling vulnerabilities. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited

    22、 applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, Information technology Security techniques Information security management systems Overview and vocabulary 3 T erms a nd definiti ons For the purposes of this document,

    23、the terms and definitions given in ISO/IEC 27000 and the following apply. 3.1 coordinator opt ion a l pa r t ic ip a nt t h at c a n a s s i s t vendor s a nd f i nder s i n h a nd l i ng a nd d i sc los i ng v u l ner abi l it y i n for m at ion Note 1 to entry: Acts as trusted liaison between invo

    24、lved parties, enabling communication between involved parties (vendors and finders). 3.2 online service service which is implemented by hardware, software or a combination of them, and provided over a communication line or network EXAMPLE Search engines, online backup services, Internet-hosted email

    25、, and software as a service are considered to be online services. 3.3 product system or service implemented or refined for sale or to be offered for free Note 1 to entry: In information technology, a distinction is often made between hardware and software products, although the boundary is not alway

    26、s clear. EXAMPLE A router can be seen as a hardware product even though a vital component of it is software and/or firmware. 3.4 remediation patch, fix, upgrade, configuration or documentation change to address a vulnerability Note 1 to entry: A change intended to resolve or mitigate a vulnerability

    27、. A remediation typically takes the form of a configuration change, binary file replacement, hardware change, or source code patch, etc. Remediations are usually provided by vendors. Vendors use different terms including update, patch, fix, hotfix, and upgrade. INTERNATIONAL ST ANDARD ISO/IEC 30111:

    28、2013(E) ISO/IEC 2013 All rights reserved 1BS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) 3.5 service means of delivering value to users by facilitating results users want to achieve without the ownership of specific resources and risks 3.6 system combination of interacting elements organized to achieve

    29、one or more stated purposes SOURCE: ISO/IEC 15288:2008, 4.31 3.7 vendor person or organization that developed the product, or service, or is responsible for maintaining it 3.8 vulnerability weakness of software, hardware, or online service that can be exploited SOURCE: ISO/IEC 27000:2009, 2.46, modi

    30、fied Note 1 to entry: Examples of weaknesses in a system are software and hardware design flaws, poor administrative processes, lack of awareness and education, and advancements in the state of the art or improvements to current practices. Regardless of cause, an exploitation of such vulnerabilities

    31、 may result in real threats to mission-critical information systems. 4 Abbreviated terms CSIRT Computer Security Incident Response Team PSIRT Product Security Incident Response Team 5 Interface between ISO/IEC 29147 - Vulnerability disclosure and ISO/IEC 30111 - Vulnerability handling processes ISO/

    32、IEC 29147 5- Vulnerability disclosure and ISO/IEC 30111 - Vulnerability handling processes are related standards, as Figure 1 shows. ISO/IEC 29147 provides a guideline for vendors to include in their normal business processes on receiving information about potential vulnerabilities from people or or

    33、ganizations externally and distributing vulnerability resolution information to affected users. ISO/IEC 30111 gives guidelines for how to process and resolve potential vulnerability information reported by individuals or organizations that find a potential vulnerability in a product or online servic

    34、e. While ISO/IEC 29147 deals with the interface between vendors and those who find and report potential vulnerabilities, ISO/IEC 30111 deals with the investigation, triage, and resolution of vulnerabilities, regardless if the source of the potential vulnerability was external to the vendor, or from

    35、within the vendors own organization, typically security, development, or testing teams.2 ISO/IEC 2013 All rights reservedBS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) Figure 1 A model of the Interface between ISO/IEC 29147 and ISO/IEC 30111 6 Policy and Organizational Framework for Vulnerability Handli

    36、ng Processes 6.1 General Vendors should create a vulnerability handling process in accordance with this International Standard in order to prepare for investigating and resolving potential vulnerabilities. The creation of a vulnerability handling process is a task that is performed by a vendor, and

    37、should be periodically assessed to facilitate process improvement opportunities and ensure that the process performs as expected. Vendors should document their vulnerability handling procedure in order to ensure that it is repeatable. The documentation should describe the procedures and methods used

    38、 to track all reported vulnerabilities. ISO/IEC 2013 All rights reserved 3BS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) See ISO/IEC 27034 3for information on how identification of the root cause of a vulnerability, which is a step in the process of vulnerability handling, can help improve secure softwa

    39、re development lifecycles and result in an outcome of more secure product development. The following clause describes the elements that vendors should consider included in their vulnerability handling processes. 6.2 Vulnerability Handling Policy Development A vendor should develop and maintain a vul

    40、nerability handling policy to define and clarify its intentions when investigating and remediating vulnerabilities for the development of a vulnerability handling process. The policy should consist of two parts: an internal-only portion and a public portion. The internal-only part of the policy is i

    41、ntended for the vendors staff and defines who is responsible in each stage of the vulnerability handling process and how they should handle information on potential vulnerabilities. It should include the following items: a) basic guidance, principles, and responsibilities for handling potential vuln

    42、erabilities in products or online services; b) a list of departments and roles responsible for handling potential vulnerabilities; c) safeguards to prevent premature disclosure of information about potential vulnerabilities before they are fixed. The audience for the public part of the vulnerability

    43、 handling policy is internal and external stakeholders, including finders who wish to report potential vulnerabilities, and users of the vendors products or online services. It informs the audience of how the vendor is willing to interact with them when a potential vulnerability is found in the vend

    44、ors product or online services. Guidance, details and examples of public vulnerability handling policies are described in the sections describing vulnerability disclosure processes in ISO/IEC 29147. 5 6.3 Development of an Organizational Framework to Support the Vulnerability Han- dling Process 6.3.

    45、1 General Handling vulnerabilities has several additional aspects than just engineering and technology (for example, customer service and public relations). An organizational framework should be designed, recognized, and supported by the stakeholder divisions of the vendor responsible for each area.

    46、 An organization should have a role or capability that is responsible for and has authority to make decisions on vulnerability handling, preferably at a management level. This role or capability must understand the responsibility toward the vendors users, the internal processes, and the organization

    47、al framework for vulnerability handling. An organization should have a role or capability that is a point of contact for handling potential vulnerabilities. This point of contact should be identified for each division or department within a vendor that provides products or online services to custome

    48、rs. An organization should establish a point of contact for external parties to reach and communicate with about vulnerabilities. The point of contact may be part of a vendor computer security incident response team (vendor CSIRT) or a product security incident response team (PSIRT). Its details are

    49、 discussed in 6.4. Since customers and members of the media may contact the vendor with questions or requests for additional information after a vulnerability is disclosed, divisions responsible for customer and public relations should be prepared so that they can respond.4 ISO/IEC 2013 All rights reservedBS ISO/IEC 30111:2013ISO/IEC 30111:2013(E) 6.4 Vendor CSIRT or PSIRT 6.4.1 General A vendor CSIRT or PSIRT is responsible for coordinating vulnerability reports from external finders of vulnerabilit


    注意事项

    本文(BS ISO IEC 30111-2013 Information technology Security techniques Vulnerability handling processes《信息技术 安全技术 漏洞处理过程》.pdf)为本站会员(figureissue185)主动上传,麦多课文档分享仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文档分享(点击联系客服),我们立即给予删除!




    关于我们 - 网站声明 - 网站地图 - 资源地图 - 友情链接 - 网站客服 - 联系我们

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1 

    收起
    展开