Framework
COBIT Framework is the basis of the COBIT approach and the foundation for all the other COBIT elements. The
process model is organized into four domains: Plan and Organize, Acquire and Implement, Deliver and Support,
and Monitor and Evaluate.
Preface
The IT Baseline Protection Manual contains standard
security safeguards, implementation advice and aids for
numerous IT configurations which are typically found in
IT systems today. This information is intended to assist
with the rapid solution of common security problems,
support endeavours aimed at raising the security level of
IT systems and simplify the creation of IT security policies. The standard security safeguards collected
together in the IT Baseline Protection Manual are aimed at a protection requirement which applies to
most IT systems.
For the majority of IT systems, this considerably facilitates the task of drawing up a security policy,
hitherto a labour-intensive process, by eliminating the need for extensive, and often complex, analyses
of threats and probabilities of occurrence. If the manual is used, all that is required to identify security
shortcomings and specify appropriate security measures is to compare the target safeguards presented
here with the actual safeguards in operation.
The IT Baseline Protection Manual has been created so that it can be continuously updated and
extended. It is revised every six months to incorporate suggestions for improvements, additional
material and reflect the latest IT developments. I would like to thank those users of the IT Baseline
Protection Manual who have contributed to this version.
Dr. Udo Helmbrecht
信息安全风险管理指导准则 AS HB231
Preface
The vulnerability of todays information society is still not sufficiently
realised: Businesses, administrations and society depend to a high degree
on the efficiency and security of modern information technology. In the
business community, for example, most of the monetary transactions are
administered by computers in the form of deposit money. Electronic
commerce depends on safe systems for money transactions in computer
networks. A companys entire production frequently depends on the
functioning of its data-processing system. Many businesses store their most
valuable company secrets electronically. Marine, air, and space control
systems, as well as medical supervision, rely to a great extent on modern
computer systems. Computers and the Internet also play an increasing role
in the education and leisure of minors. International computer networks are
the nerves of the economy, the public sector and society. The security of
these computer and communication systems is therefore of essential
importance.
European Commission 1998
Ever more powerful personal computers, converging technologies and the
widespread use of the Internet have replaced what were modest, stand-alone
systems in predominantly closed networks. Today, participants are
increasingly interconnected and the connections cross national borders. In
addition, the Internet supports critical infrastructures such as energy,
transportation and finance and plays a major part in how companies do
business, how governments provide services to citizens and enterprises and
how individual citizens communicate and exchange information. The nature
and type of technologies that constitute the communications and information
infrastructure also have changed significantly. The number and nature of
infrastructure access devices have multiplied to include fixed, wireless and
mobile devices and a growing percentage of access is through always on
connections. Consequently, the nature, volume and sensitivity of information
that is exchanged has expanded substantially.
As a result of increasing interconnectivity, information systems and
networks are now exposed to a growing number and a wider variety of
threats and vulnerabilities.
OECD 2002
Information security risk management forms the basis for an assessment of
an organizations information security framework. With increasing
electronic networking between organizations for a very wide range of
applications, which impacts on most aspects of life in our society, there is a
clear benefit in having a common set of reference documents for information
security management. This enables mutual trust to be established between
networked sites and trading partners and provides a basis for management of
facilities between information users and service providers. Security for
information systems is an essential requirement at organizational, national
and international levels.
This handbook was revised in 2003 to be consistent with
AS/NZS 7799.2:2003.
This Joint Australia/New Zealand Handbook has been prepared by
Committee IT-012, Information Systems, Security and Identification
Technology. This publication extends the generic work done by
Committee OB/7, Risk Management to specifically address the area of
information security management. Information security risk management
guidelines issued by the International Organization for
Standardization (ISO) as ISO/IEC TR 13335, Information technology
Guidelines for the management of IT security have been adapted to align
with the Australian and New Zealand Standard AS/NZS 4360, Risk
management.
AS/NZS ISO/IEC 17799 establishes a code of practice for selecting
information security controls (or equivalently treating information security
risks). AS/NZS 7799.2 (BS 7799.2) specifies an information security
management system. Both documents require that a risk assessment process
is used as the basis for selecting controls (treating risks). This Handbook
complements these Standards by providing additional guidance concerning
management of information security risks.
The guidance in this Handbook is not intended to be a comprehensive
schedule of information security threats and vulnerabilities. It is intended to
serve as a single reference point describing an information security risk
management process suitable for most situations encountered in industry and
commerce and therefore can be applied by a wide range of organizations.
Not all of the steps described in the handbook are relevant to every
situation, nor can they take account of local environmental or technological
constraints, or be presented in a form that suits every potential user in an
organization. Safety critical applications in particular will require additional
consideration of factors specific to the circumstances and relevant Standards
should be consulted in such cases. Consequently, these guidelines may
require to be augmented by further guidance before they can be used as a
basis (for example) for corporate policy or an inter-company trading
agreement.
It has been assumed in the drafting of these guidelines, that the execution of
their provisions is entrusted to appropriately qualified and experienced
people.
IT证据管理的指导准则 HB 171—2003
Preface
This handbook has been prepared by Committee IT/012, Information
Systems, Security and Identification Technology. It is intended for use as a
reference document by a variety of audiences, including—
a) executives and Boards responsible for ensuring the existence of records that
can be used in protecting the interests of their organization by initiating or
defending legal proceedings or in their fulfilling a social responsibility as a
witness;
b) personnel who are responsible for designing/acquiring information
technology systems that produce and/or store records and the staff responsible
for their use and operation;
c) personnel conducting an investigation or enquiry involving electronic
records; and
d) adjudicators who base their decision, at least partially on IT evidence (e.g.
judiciary, tribunal members, administrative management).
The authors recognize the cross-disciplinary nature of the management of IT
evidence, involving as it does business, legal and information technology
professionals. As far as possible, the handbook has been written in “plain
English” minimizing both legal and technical jargon.
Qualification
This handbook does not purport to provide legal advice. Compliance with
this handbook does not guarantee the legal admissibility of electronic
records—it is a statement of best practice.
Organizations are encouraged to seek both legal and other expert advice
when implementing information technology systems that create, store,
process or transmit documents of significant evidentiary value.
Acknowledgements
Standards Australia would like to acknowledge Ajoy Ghosh’s efforts in
drafting this handbook, authorship of which was sponsored jointly by the
Commonwealth Attorney-General’s Department and the Australian Federal
Police.
The following organizations have contributed to the writing of this
handbook:
AusCERT
Australian Federal Police
Australasian Centre for Policing Research
Australian Prudential Regulation Authority
Australian Securities and Investment Commission
Australian Taxation Office
Action Group on E-Commerce
Commonwealth Attorney-General’s Department
Deacons
Defence Signals Directorate
Standards Australia sub-committee IT/012/04 (Security Techniques)
澳新信息安全标准13335——2003 / ISO标准13335——1997 第五部分:网络安全管理指导
Australian Standard™
Information technology—Guidelines for
the management of IT Security
Part 5: Management guidance on
network security
澳新信息安全标准13335——2003 / ISO标准13335——1997 第四部分:安全保障的选择
Australian Standard™
Information technology—Guidelines for
the management of IT Security
Part 4: Selection of safeguards