Embed Size (px)
Citation preview
1779910.9.2~10.10.1
693520404 張永昌
10.9.2 On-Line Transactions(1)
Control : Information involved in on-line transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
控制:線上交易的資訊應該被保護以預防不完整的傳送、錯誤繞徑、未經許可的訊息變更、未經許可的洩漏、未經許可的訊息複製與重送。
10.9.2 On-Line Transactions(2)
Implementation guidance : Security considerations for on-line transactions should include the following: a) the use of electronic signatures by each o
f the parties involved in the transaction; (在交易的各方使用電子簽章)
b) all aspects of the transaction, i.e. ensuring that: (交易方面要能確保下列事項)
1) user credentials of all parties are valid and verified; (使用者憑證要有效且被驗證)
2) the transaction remains confidential; and(交易保持機密)
3) privacy associated with all parties involved is retained; (所有隱私被保留)
10.9.2 On-Line Transactions(3)c) communications path between all i
nvolved parties is encrypted; (在所有通訊的各方都要加密)
d) protocols used to communicate between all involved parties is secured; (所有通訊部分的協定應該要安全)
e) ensuring that the storage of the transaction details are located outside of any public accessible environment. (確保在外面公共存取環境的交易詳細儲存的安全。例如:一般交易資訊會儲存在公司組織內部的網路上,而不會把交易資料直接放在一般 internet 網路上)
10.9.2 On-Line Transactions(4) f) where a trusted authority is used (e.g. f
or the purposes of issuing and maintaining digital signatures and/or digital certificates) security is integrated and embedded throughout the entire end-to-end certificate/signature management process. (建立信任來源的使用,在整個端點對端點使用憑證 / 簽章管理程序來整合建立安全)
10.9.3 Publicly available information(1)
Control : The integrity of information being made available on a publicly available system should be protected to prevent unauthorized modification.
控制:資訊完整性用於公共系統,應該被保護預防未經認證的修改 Implementation guidance : Software, da
ta, and other information requiring a high level of integrity, being made available on a publicly available system, should be protected by appropriate mechanisms.
建置準則:公共系統上要求極高完整性的軟體、資料和其他資訊, 應有適當機制的保護
10.9.3 Publicly available information(2)
There should be a formal approval process before information is made publicly available. In addition, all input provided from the outside to the system should be verified and approved.
資訊在變成公開有效之前,應要經過正式批准程序。另外,外界提供輸入進入系統應該被驗證和批准。
10.9.3 Publicly available information(3)
Electronic publishing systems, especially those that permit feedback and direct entering of information, should be carefully controlled so that:
電子出版系統, 特別是允許回饋和直接輸入資訊的系統, 應謹慎控制:
a) information is obtained in compliance with any data protection legislation (see 15.1.4);
取得的資訊符合任何資料保護法
b) information input to, and processed by, the publishing system will be processed completely and accurately in a timely manner;
輸入到公共系統並由其處理的資訊可及時得到完整且精確的處理
10.9.3 Publicly available information(4)
c) sensitive information will be protected during collection, processing, and storage;
敏感資訊在收集處理和儲存時需加以保護
d) access to the publishing system does not allow unintended access to networks to which the system is connected.
對公共系統的存取不得擅自存取其所相連的網路
10.10 Monitoring
Objective: To detect unauthorized information processing activities.
目標:偵測未經許可的資訊程序活動。
Systems should be monitored and information security events should be recorded. Operator logs and fault logging should be used to ensure information system problems are identified.
系統應該被監控,資訊安全事件應該被記錄。操作作業記錄和登入失敗應該可以用來確保資訊系統問題和辨識。
10.10.1 Audit logging(1)
Control : Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring.
控制:審核記錄紀錄使用者活動、例外和資訊安全事件,這些訊息被產生和保留一段時間,可用在未來調查和存取控制監控。
10.10.1 Audit logging(2) Implementation guidance : Audit logs
should include, when relevant: (建置準則:稽核紀錄應該包含下列) a) user IDs; (使用者 ID) b) dates, times, and details of key events, e.g.
log-on and log-off; (日期、時間和詳細重要事件。例如:登入和登出)
c) terminal identity or location if possible; (終端辨識和位置)
d) records of successful and rejected system access attempts; (記錄系統存取的成功和失敗紀錄)
e) records of successful and rejected data and other resource access attempts; (紀錄資料和資源存取的成功和失敗紀錄)
f) changes to system configuration; (系統結構的改變)
10.10.1 Audit logging(3) g) use of privileges; (特權的使用) h) use of system utilities and applications; (系
統工具和應用的使用) i) files accessed and the kind of access; (檔案存
取和存取種類) j) network addresses and protocols; (網路位址和
協定) k) alarms raised by the access control system
; (存取控制系統的警告產生) l) activation and de-activation of protection s
ystems, such as anti-virus systems and intrusion detection systems. (保護系統的活動和解除活動,例如反病毒系統和入侵偵測系統)
