190815 ISO 27001 A.11 ~ A.12 筆記
- 取得連結
- X
- 以電子郵件傳送
- 其他應用程式
| A.11.1.3 | 安全的辦公室、場所和設施Securing offices, rooms and facilities | |
| 應設計並實施辦公室、場所和設施中人員的安全。 Physical security for offices, rooms and facilities shall be designed and applied. | ||
| A.11.1.4 | 保護免受外部和環境威脅Protecting against external and environmental threats | |
| 應設計並實施人員保護,以防範天然災害、惡意攻擊或事故。 Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. | ||
| A.11.1.5 | 安全區域內工作Working in secure areas | |
| 應設計並實施安全區域內的工作程序。 Procedures for working in secure areas shall be designed and applied. | ||
| A.11.1.6 | 交貨和裝卸區域Delivery and loading areas | |
| 對諸如交貨與裝卸區域以及其它出入口可能會有未經授權的人員進入應加以控制;並儘可能與資訊處理設施隔離,以避免未經授權的存取。 Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. | ||
| A.11.2 | 設備Equipment | ||
| 目標:防止組織營運中斷與資產的遺失、破壞、遭竊或破解。 Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. | |||
| A.11.2.1 | 設備安置與保護Equipment siting and protection | |
| 設備應加以安置與保護,以降低未經授權之存取的機會以及來自環境的威脅與危害。 Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. | ||
| A.11.2.2 | 公共服務資源Supporting utilities | |
| 設備應加以保護以免電力故障,或因其它公共服務資源故障所導致的中斷。Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. | ||
| A.11.2.3 | 佈線安全Cabling security | |
| 電力與遠距通信承載數據的佈線或資訊服務之支援應加以保護,以防止竊聽、干擾與破壞。 Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. | ||
| A.11.2.4 | 設備維護Equipment maintenance | |
| 設備應正確地維護,以確保其持續可用性及完整性。 Equipment shall be correctly maintained to ensure its continued availability and integrity. | ||
| A.11.2.5 | 資產移動Removal of assets | |
| 未經事前授權,不得將設備、資訊或軟體帶出場外。Equipment, information or software shall not be taken off-site without prior authorization. | ||
| A.11.2.6 | 外部設備和資產安全Security of equipment and assets off-premises | |
| 安全應適用於場外資產,並將於組織場所外工作之不同風險納入考量。Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. | ||
| A.11.2.7 | 設備安全廢除或重複使用Secure disposal or re-use of equipment | |
| 含有儲存媒體之所有設備項目,應於廢除或重複使用前加以查驗,以確保任何敏感數據與版權軟體已被移除或安全地覆寫。All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. | ||
| A.11.2.8 | 無人看管之使用者設備Unattended user equipment | |
| 使用者應確保無人看管設備有適當的保護。Users shall ensure that unattended equipment has appropriate protection. | ||
| A.11.2.9 | 桌面淨空與螢幕淨空政策Clear desk and clear screen policy | |
| 對紙本與可移除式儲存媒體應採用桌面淨空政策,而資訊處理設施應採用螢幕淨空政策。A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. | ||
| A.12.1 | 操作程序與責任Operational procedures and responsibilities | ||
| 目標:確保正確與安全的操作資訊處理設施。Objective: To ensure correct and secure operations of information processing facilities. | |||
| A.12.1.1 | 作業程序文件化Documented operating procedures | |
| 作業程序應加以文件化,並讓所有需要的使用者均可取得。Operating procedures shall be documented and made available to all users who need them. | ||
| A.12.1.2 | 變更管理Change management | |
| 對組織、業務流程、資訊處理設施與系統進行會影響資訊安全的變更應加以控制。Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled. | ||
| A.12.1.3 | 容量管理Capacity management | |
| 資源的使用應加以監測與調整,並對未來的容量需求進行預測,以確保系統效能之需求。The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. | ||
| A.12.1.4 | 開發、測試與作業環境之區隔Seperation of development, testing and operational environments | |
| 開發、測試與作業環境應分開,以降低未經授權的存取或作業環境變更的風險。Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. | ||
| A.12.2 | 防範惡意軟體Protection from malware | ||
| 目標:確保資訊與資訊處理設施免受惡意軟體的侵害。Objective: To ensure that information and information processing facilities are protected against malware. | |||
| A.12.2.1 | 防範惡意軟體之控制措施Controls against malware | |
| 應實施惡意軟體之偵測、預防與復原並結合適當的使用者認知之控制措施。Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. | ||
| A.12.3.1 | 資訊備份Information backup | |
| 應依據約定的備份政策,定期進行資訊、軟體與系統映像的備份與測試。Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. | ||
留言
張貼留言