190816 ISO 27001 A.12 ~ A.13 筆記
- 取得連結
- X
- 以電子郵件傳送
- 其他應用程式
| A.12.4 | 記錄與監控Logging and monitoring | ||
| 目標:記錄事件並產生證據。Objective: To record events and generate evidence. | |||
| A.12.4.1 | 事件記錄Event logging | |
| 記錄使用者活動、異常、錯誤與資訊安全事件的事件日誌應加以製作、保存並定期地審閱。Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. | ||
| A.12.4.2 | 日誌資訊之保護Protection of log information | |
| 記錄設施與日誌資訊應加以保護,以防止篡改與未經授權的存取。Logging facilities and log information shall be protected against tampering and unauthorized access. | ||
| A.12.4.3 | 管理者與操作者日誌Administrator and operator logs | |
| 系統管理者與系統操作者活動應加以記錄,且該日誌應加以保護並定期地審閱。System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. | ||
| A.12.4.4 | 時間同步Clock synchronization | |
| 在組織或安全領域內的所有相關資訊處理系統之時間應與單一參照時間來源同步。The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source. | ||
| A.12.5 | 運作中軟體之控制Control of operational software | ||
| 目標:確保運作中系統的完整性。Objective: To ensure the integrity of operational systems. | |||
| A.12.5.1 | 運作中系統上軟體之安裝Installation of software on operational systems | |
| 程序應加以實施,以控制運作中系統上軟體之安裝。Procedures shall be implemented to control the installation of software on operational systems. | ||
| A.12.6 | 技術漏洞管理Technical vulnerability management | ||
| 目標:防止技術漏洞之利用。Objective: To prevent exploitation of technical vulnerabilities. | |||
| A.12.6.1 | 技術漏洞之管理Management of Technical Vulnerabilities | |
| 應及時獲得關於資訊系統技術漏洞被利用之資訊,並應對組織在漏洞上的暴露加以評估,且應採取適當措施以因應相關風險。Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. | ||
| A.12.6.2 | 軟體安裝限制Restrictions on software installation | |
| 應建立並實施使用者安裝軟體之管理規則。Rules governing the installation of software by users shall be established and implemented. | ||
| A.12.7 | 資訊系統稽核考量Information systems audit considerations | ||
| 目標:將稽核活動對運作中系統之影響降至最低。Objective: To minimize the impact of audit activities on operational systems. | |||
| A.12.7.1 | 資訊系統稽核控制措施Information systems audit controls | |
| 稽核需求與涉及運作中系統驗證之活動應仔細規劃與議定,以儘量降低對營運流程的中斷。Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes. | ||
| A.13.1 | 網路安全管理Network Security Management | ||
| 目標:確保網路中的資訊與其支援的資訊處理設施受到保護。Objective: To ensure the protection of information in networks and its supporting information processing facilities. | |||
| A.13.1.1 | 網路控制措施Network controls | |
| 網路應進行管理與控制,以保護系統與應用程式中的資訊。Networks shall be managed and controlled to protect information in systems and applications. | ||
留言
張貼留言