ICS35.040中华人民共和国国家标准GB/T××××—××××信息技术信息安全管理实用规则Informationtechnology-Codeofpracticeforinformationsecuritymanagement(ISO/IEC17799:2000,MOD)(报批稿)××××-××-××发布××××-××-××实施国家质量监督检验检疫总局发布GB/T××××—××××目次前言..................................................................................III引言...................................................................................IV1范围..................................................................................12术语和定义............................................................................12.1信息安全..........................................................................12.2风险评估..........................................................................12.3风险管理..........................................................................13安全策略..............................................................................13.1信息安全策略........................................................................14组织的安全............................................................................24.1信息安全基础设施....................................................................24.2第三方访问的安全....................................................................44.3外包................................................................................65资产分类和控制........................................................................75.1资产的可核查性......................................................................75.2信息分类............................................................................76人员安全..............................................................................86.1岗位设定和人力资源的安全............................................................86.2用户培训...........................................................................106.3对安全事故和故障的响应.............................................................107物理和环境的安全.....................................................................117.1安全区域...........................................................................117.2设备安全...........................................................................137.3一般控制...........................................................................158通信和操作管理.......................................................................168.1操作规程和职责.....................................................................168.2系统规划和验收.....................................................................198.3防范恶意软件.......................................................................198.4内务处理...........................................................................208.5网络管理...........................................................................218.6媒体处置和安全.....................................................................218.7信息和软件的交换...................................................................239访问控制.............................................................................269.1访问控制的业务要求.................................................................279.2用户访问管理..............................................
