190821 ISO 27001 A.14
- 取得連結
- 以電子郵件傳送
- 其他應用程式
| A.14.1 | 資訊系統之安全需求 Security requirements of information systems | ||
| 目標:確保資訊安全是整個資訊系統生命週期整體的一部份。此亦包含在公共網路上提供服務之資訊系統的需求。 Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. | |||
| A.14.1.1 | 資訊安全需求分析與規格 Information security requirements analysis and specification | |
| 新資訊系統或對現存資訊系統的改善之需求,應將資訊安全相關需求包含在內。 The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. | ||
| A.14.1.2 | 保護公共網路上之應用服務 Securing application services on public networks | |
| 新資訊系統或對現存資訊系統的改善之需求,應將資訊安全相關需求包含在內。 The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. | ||
| A.14.1.3 | 保護應用服務交易 Protecting application services transactions | |
| 涉及到應用服務交易之資訊應加以保護,以防止未完成的傳輸、錯誤途徑、未授權的訊息修改、未授權的揭露、未授權的訊息重製或重複發送。 Information involved in application service transactions shall be protected to prevent incomplete transmission, misrouting, unauhorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. | ||
| A.14.2 | 開發與支援程序之安全 Security in development and support processes | ||
| 目標:確保資訊安全是設計與實施在資訊系統開發生命週期內。 Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. | |||
| A.14.2.1 | 安全開發政策 Secure development policy | |
| 軟體與系統之開發的規則應加以建立並應用在組織內的開發。 Rules for the development of software and systems shall be estabished and applied to developments within the organization. | ||
| A.14.2.2 | 系統變更控制程序 System changes control procedures | |
| 在開發生命週期內對於系統的變更應經由正式的變更控制程序來加以控制。 Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. | ||
| A.14.2.3 | 作業平台變更後之應用程序技術審查 Technical review of applications after operating platform changes | |
| 當作業平台變更時,關鍵的營運應用程序應加以審查與測試,以確保在組織運作與安全上沒有負面的影響。 When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. | ||
| A.14.2.4 | 軟體套件變更之限制 Restrictions on changes to software packages | |
| 軟體套件的修改應加以防止,僅限於必要之變更,且所有的變更應加以嚴格地控管。 Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. | ||
| A.14.2.5 | 安全系統設計原則 Secure system engineering principles | |
| 安全系統之設計原則應加以建立、文件化、維護並應用於任何資訊系統實施成果。 Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. | ||
| A.14.2.6 | 安全開發環境 Secure development environment | |
| 組織應建立並適當地保護系統開發與涵蓋整個系統開發生命週期整合成果之安全開發環境。 Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. | ||
| A.14.2.7 | 委外開發 Outsourced development | |
| 組織應監督與監控委外系統開發活動。 The organization shall supervise and monitor the activity of outsourced system development. | ||
| A.14.2.8 | 系統安全測試 System security testing | |
| 在開發期間應實施安全功能性測試。 Testing of security functionality shall be carried out during development. | ||
| A.14.2.9 | 系統驗收測試 System acceptance testing | |
| 全新、更新與新版資訊系統之驗收測試程序與相關標準應加以建立。 Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. | ||
| A.14.3 | 測試資料 Test data | ||
| 目標:確保用於測試之資料的保護。 Objective: To ensure the protection of data used for testing. | |||
| A.14.3.1 | 測試資料之保護 Protection of test data | |
| 測試資料應謹慎地選擇、保護並加以控制。 Test data shall be selected carefully, protected and controlled. | ||
留言
張貼留言