Internal Use Hệ Thống Bảo Mật Thông ISO 27001:2005 Trần Thị Nguyệt
H Thng Bo Mt Thng Tin ISO 27001:2005
Internal Use
Trn Th Nguyt
Ni dung1 2 3 4 Gii thiu chung M hnh xy dng ISMS Cc nhm kim sot chnh Hi p
Internal Use
FPT-IS
1. Gii thiu chung 1. Gii thiu tiu chun ISO 27001:2005Chun ISO 27001 l chun quc t cung cp m hnh xy dng, vn hnh, qun l, duy tr v ci tin h thng BMTT. Chun ny cung cp cc phng php kim sot nhm gim ri ro cho ti sn ca cng ty ti mc thp nht c th.
BS7799 (British Standard): l tp hp cc hng dn, cc cch kim sot c c kt, ghi nhn li bi cc t chc c kinh nghim tt trong vic xy dng h thng BMTT.
Internal Use
FPT-IS
1. Gii thiu chung
Plan
Xy dng h thng ISMS
Do
Vn hnh h thng ISMS
Check
nh gi kim sot h thng ISMS
Qu trnh thit lp v qun l ISMS
Act
Duy tr, ci tin h thng ISMS
Internal Use
FPT-IS
1. Gii thiu chung2. Lch s pht trin ISMSLate 2005 September 2002 2001 December 2000 1999 1998 ISO 27000 series
Updated version of BS 7799-2 (revised and corrected)Review of BS 7799-2
ISO/IEC 17799:2000 Updated version of BS 7799 Parts 2
BS 7799 Part 2 BS 7799 Part 1
Internal Use
FPT-IS
1. Gii thiu chung 3. Th no l bo mt ti sn: tha mn c 3 tnh
cht: Tnh bo mt (Confidentiality): m bo thng tin ch ctruy cp bi ngi no c quyn, c php truy cp. Tnh ton vn (Integrity): thng tin c trao i, thng tin qua nhau hon ton chnh xc, m bo. Tnh sn c (Availability): m bo ngi dng c th truy cp c thng tin ngay khi cn thit.
Internal Use
FPT-IS
Ni dung1 2 3 4 Gii thiu chung M hnh xy dng ISMS Cc nhm kim sot chnh Hi p
Internal Use
FPT-IS
2. M hnh xy dng ISMS1. nh gi v xy dng ISMSTi sn
Ri ro
nh gi ri ro
X l ri ro
Internal Use
FPT-IS
2. M hnh xy dng ISMS2. Ti sn Xc nh tt c thng tin u l ti sn ca cng ty. Ging nh tt c cc ti sn khc ca doanh nghip C gi tr nh hng ti doanh nghip nn phi bo v Thng tin c th tn ti nhiu dng In ra bn cng Lu tr di dng bn mm C th truyn thng tin bng cc hnh thc: fax, mail, ni Khch hng i tc Ni b
Thng tin lin trong t chc lin quan ti:
Internal Use
FPT-IS
2. M hnh xy dng ISMS A. Phn loi ti sn: phn chia thnh 4 loi ti sn Ti sn thng tin: tp tin, c s d liu, ti liu o to,file hnh nh, file m thanh,ti liu hng dn ngi dng, k hoch trin khai, Ti sn phn mm: phn mm h thng, phn mm ng dng, phn mm pht trin, cc tin ch
Ti sn vt l: thit b my tnh, my in/fax/photo, thit b truyn thng Ti sn dch v: dch v ng internet, in thoi, dch v bn ngoi cung cp
ng vi mi loi ti sn FIS thng k lp thnh tng kho ti sn: c 4 kho ti sn: INF, SOF, PHY, SER
Internal Use
FPT-IS
2. M hnh xy dng ISMS B. Phn thnh 4 mc quan trng: Special: l cc ti sn c mc nh hng rt ln ti t chc, tnh ra gi tr >=100.000$ High: l cc ti sn c mc nh hng ln ti t chc, tnh ra gi tr >= 10.000$ Medium: l cc ti sn c mc nh hng trung bnh ti t chc, tnh ra gi tr >=3000$ Low: nhng ti sn cn li. Ch ti sn (Owner): Trng b phn/gim c trung tm Cc cch nh gi mc quan trng ca ti sn: nh tnh: da vo mc nh hng ca ti sn nh lng: da vo gi tr ca ti sn Vi nhng ti sn ph thuc nhau th xc nh theo hm MAX.
Internal Use
FPT-IS
2. M hnh xy dng ISMS B. Dn nhn ti sn Ti sn thng tin: dn nhn bng cch chn thm du hiu vo footer ca ti liu Mc Special: c du hiu l Top Secret Mc High: c du hiu l Confidential Mc Medium: c du hiu Internal Use
Mc Low: khng cn dn nhn
Ti sn vt l: dn nhn trn cc thit b theo mu quy nh. Ti sn phn mm: dn cc a c license Ti sn dch v: khng dn nhn
Internal Use
FPT-IS
2. M hnh xy dng ISMS 3. Ri ro xc nh ri ro ti sn, trc ht xc nh e da (threat) v im yu ( Vulnerbility) ca ti sn. Danh sch Threat&Vulnerbility ca FIS. Xc nh ri ro cho cc loi ti sn.
Risk = Threat * Vulnerability * Asset value
Internal Use
FPT-IS
2. M hnh xy dng ISMS 4. nh gi Ri ro Xc nh phng php nh gi mc ri ro. Xc nh mc ri ro no cn x l, mc ri ro no khng cn x l, l mc t chc chp nhn c. Bng nh gi ri ro hin ti ca FIS: RiskAssessment 5. X l ri ro X l ri ro bng cch la chn cc bin php kim sot ( trong ISO27001 c 133 bin php kim sot ) c th chn la. SOA
Bng x l ri ro ca FIS: RiskTreatmentPlan 6. Thc hin, thi hnh cc bin php kim sot
Internal Use
FPT-IS
ISMS Team
BOM
Business Centers
ISMS team FIS Branches Project Groups
LeaderManager Members
Technology Centers
Support Departments
Internal Use
FPT-IS
Ni dung1 2 3 4 Gii thiu chung M hnh xy dng ISMS Cc nhm kim sot chnh Hi p
Internal Use
FPT-IS
3. Cc nhm kim sot chnh 1. Cu trc tiu chun ISO 27001 Gii thiu Phm vi Thut ng v nh ngha H Thng Bo Mt Thng Tin Trch nhim ban lnh do nh gi ni b BMTT Xem xt lnh o BMTT Ci tin h thng BMTT Ph lc A: c 11 vn gm c 133 vn kim sot Ph lc B,CInternal UseFPT-IS
3. Cc nhm kim sot chnh
11. Compliance
1. Security policy
2. Organizational security
10. Business continuity management Integrity 9. Incident Management Confidentiality
3. Asset Management
InformationAvailability
4. Human Resources 5. Physical and environmental security
8. IS acquisition development & maintenance7. Access control
6. Communications and operations management
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Cu trc tiu chun ISO 270011. CHNH SCH BO MT THNG TIN2. BO MT THNG TIN TRONG T CHC 3. QUN L TI SN 4. BO MT V CON NGI 5. BO MT V MI TRNG V VT L 6. KIM SOT LU THNG V VN HNH 7. KIM SOT TRUY CP 8. PHT TRIN V BO TR H THNG THNG TIN 9. QUN L S C BO MT THNG TIN 10. KIM SOT S LIN MCH TRONG KINH DOANH 11. S PH HP
Internal Use
FPT-IS
S tay Bo Mt Thng TinIS Policy, objectives
1
Security manual
2
Procedures Work instructions, checklists, forms, etc.
3
4
Records
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 1: Xem xt lnh o Quy trnh xem xt lnh o: 01v-QT/ISMS Hng dn xem xt lnh o: 01v-HD/ISMS
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 2: Khc phc v phng nga Quy trnh khc phc v phng nga: 02v-QT/ISMS Nhm 3: Qun l ti liu h s (theo s tay Cht lng FPT)
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 4: Qun l ri ro Chnh sch qun l ri ro: 04e-cs/ISMS Quy trnh qun l ri ro: 04e-qt/ISMS
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 5: Chnh sch Bo Mt thng tin Chnh sch BMTT: 05v-cs/isms
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 5: Chnh sch bo mt thng tin FIS S ph hp i vi cc yu cu php lut, ch nh v cc yu cu rng buc trong hp ng Tnh tin cy ca thng tin c m bo Tnh ton vn ca thng tin c duy tr Tnh sn c ca thng tin i vi cc qu trnh kinh doanh c duy tr Thng tin c bo v khi cc s truy cp khng c php K hoch m bo lin mch trong kinh doanh c lp, duy tr v th nghim
o to bo mt thng tin c thc hin cho tt c cc cn bVi phm v bo mt thng tin (c tht hoc nghi ng) c thng bo cho Cn b ph trch bo mt thng tin v c iu tra nghim tcInternal UseFPT-IS
3. Cc nhm kim sot chnh Nhm 5: Chnh sch bo mt thng tin FIS Quy nh tt c cc cn b nhn vin FIS phi c v hiu chnh sch BMTT. Bit ni truy cp vo chnh sch BMTT.
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 6: Bo mt thng tin trong t chc Hng dn kim sot truy cp t t chc bn ngoi: 06vhd/ISMS. Cam kt bo mt: 06-bm/ISMS
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 6. Bo mt thng tin trong t chc Khi t chc bn ngoi ( nh cung ng, i tc, bn th 3, t
chc bn ngoi) c nhu cu tip cn thng tin ca t chcth: T chc nh gi ri ro
Yu cu t chc bn ngoi thc hin cam ktbo mt thng tin vi FIS iu khon BMTT c th th hin qua: K cam kt NDA ( Non Disclosure Agreement). Th hin trong iu khon hp ng o to nhn thc cho t chc bn ngoi.
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 7: Qun l ti sn Chnh sch qun l ti sn: 07v-cs/ISMS
Quy trnh s dng ti sn: 02-qt/HH Quy trnh ng k ti sn c nhn: 01-qt/HH Mu kho ti sn: 08-bm/HH
Mu nhn ti sn: 06-bm/HH Mu ngh xut s dng ti sn/ mua laptop: CBQLTS cn xc nh mc quan trng khi xut s dng TBP ph duyt.
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 7. Qun l ti sn Dn nhn ti sn vt l Dn nhn ti sn thng tin: phi dn nhn bn mm trc khi in ra bn cng. Ch ng du bn cng khi h s xut pht t khch hng chuyn v.
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 7. Qun l ti sn (tip) Ti sn cng ty khi mang ra ngoi cn xin ph duyt Ti sn c nhn (Laptop) phi ng k trc khi s dng
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 7. Qun l ti sn (tip) Information Handling Lu tr ti sn:
Cc ti sn thng tin (bn mm) c gi tr S, H, M phi lu trn my ch. Ti sn thng tin bn cng lu trong t c kha.
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 8: Bo mt con ngi Chnh sch bo mt thng tin nhn s: 08-cs/ISMS Cc biu mu hp ng, phng n tuyn dng ( chuyn sang s tay Nhn s cp FIS). Xc nhn bn giao khi thi vic: (s tay nhn s): 04-bm/NS
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 8. Qun l con ngi o to: Cn b th vic: o to ngay Overview Cn b trong giai on lao ng o to: cn c o to c th hn v nhim v v trch nhim ca bn thn trong H thng bo mt thng tin ca FIS. Cc thay i v h thng bo mt thng tin cn c o to ngay cho cn b.
Tuyn dng: Cc v tr nhy cm lin quan n bo mt thng tin cn c s xem xt k lng trong vic tuyn dng. Cc iu khon trong ph lc hp ng thm cc iu khon lin quan ti BMTT.
Qun l cn b nhn vin: Cn b thi vic, chuyn cng tc cn c xo b quyn s dng ti sn vo thi im thi vic hoc chuyn cng tc ghi trong ngh thanh l hp ng. Nhng vi phm v bo mt thng tin s c hnh thc k lut thch ng.
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 9: Bo mt mi trng v vt l Chnh sch bo mt mi trng: 09-cs/ISMS Biu mu ngh mang ti sn ra ngoi: 07-bm/HC Nht k mang ti sn ra ngoi: 08-bm/HC Quy trnh n tip khch: 04-qt/HC
Biu mu bo lnh khch: 09-bm/HC
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 9. Bo mt v mi trng v vt l L tn theo di khch ra vo Bo lnh khch Nht k khch ra/vo H thng kim sot th: Nhn vin phi eo th ti cng ty.
H thng Camera kim sotNhng ni bo mt nh phng Server xy dng h thng ca c 2 cha kha, 2 ngi gi cha. Ni quy cc ni bo mt Kim sot vic mang ti sn ca Cng ty ra ngoi: khi cn b mang ti sn ra ngoi th lm ngh
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 9. Bo mt v mi trng v vt l
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 10: Kim sot truyn thng v vn hnh Chnh sch bo mt truyn thng v vn hnh: 10-cs/ISMS Quy trnh backup d liu: 02-qt/TT Quy trnh thay i: 10.1-qt/ISMS Quy trnh hy thit b: 03-qt/TT Hng dn kim sot m c hi: 04-hd/TT
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 10. Qun l truyn thng v vn hnh
Ni dung Kim sot thay i Phn tch quyn : i vi quyn Admin: Kim sot password truy cp (ch kim sot cho) Kim sot cc dch v ca bn th 3 Kim sot kh nng h thng Kim sot Malicous code Cm Mobile Code Kim sot sao lu d liu Kim sot v hy b cc Thit b lu tr Kim sot h thng (Monitor): Hot ng ng nhp h thng. ng nhp li.
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 11: kim sot truy cp Chnh sch bo mt truy cp: 11-cs/ISMS Quy trnh cho truy cp ti sn:11-qt/ISMS Biu mu ngh truy cp: 11-bm/ISMS
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 11. Kim sot truy cp Kim sot truy cp vt l Chia lm 3 khu vc: Ni lm vic : Ni lm vic, kim sot bng th ra vo Ni cng cng: Nhng ni n tip khch nh l tn, khch cn c ngi dn vo Khu vc bo mt : L ni cn bo mt quan trng, c ni quy ra vo: PHNG SERVER
Kim sot truy cp mng S dng cc bin php kim sot truy cp VPN
Quy nh s dng password Thay i ti thiu 6 thng/ln
Chnh sch bn sch, mn sch Lock my trc khi ri khi v tr lm vicFPT-IS
Internal Use
3. Cc nhm kim sot chnh Nhm 11. Kim sot truy cp (tip) Kim sot truy cp vo ti sn thng tin FIS: Cn b c php truy cp vo cc ti nguyn thng tin ni b ca cng ty ty thuc vo: Trung tm/phng ban lm vic. V Tr cng vic ca cn b. Chc v quyn hn ca cn b.
Da vo cc thng tin trn IT manager s phn quyn truy cp vi tng quyn c th ( Read, Write, Modify, Full) trn cc th mc/ trang web lin quan ti cng vic ca cn b.
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 12: Pht trin v bo tr h thng Chnh sch: 12-cs/ISMS Quy trnh qun l im yu k thut: 06-qt/TT Hng dn hoch nh v nghim thu h thng: 02v-hd/TT Bo co hoch nh h thng: 02.1-bm/TT
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 12. Pht trin, ci tin h thng thng tin
Quy nh: Qun l im yu k thut ca cng ty a ra hng khc phc cc im yu k thut.
Internal Use
FPT-IS
4. S tay Bo Mt Thng Tin Nhm 13: Qun l s c BMTT Chnh sch qun l s c BMTT: 13-cs/ISMS Quy trnh qun l s c BMTT: 13-qt/ISMS Biu mu thng bo s c BMTT: 13-bm/ISMS Biu mu database s c: 13.2-bm/ISMS
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 13. Qun l s c/s kin bo mt thng tin Khi nim s c BMTT Nhng s kin bo mt thng tin sau y c th dn n s c bo mt thng tin. Cc vn h thng Vn hnh h thng khng hiu qu, khng gii thch c
Truy cp tri php vo cc ngun h thng S dng tri php ngun IT ca Cng ty Tit l tri php thng tin ca cng ty. Sa i hoc hy tri php thng tin n trm cc ti sn vt l Nhim Virus
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 13. Qun l s c/s kin bo mt thng tin Phn loi Mc Urgent: S c lm gin on mt hoc nhiu hot ng c nh hng nghim trng n vic vn hnh ca Cng ty Mc High: S c lm gin on mt hoc nhiu hot ng c nh hng nghim trng n vic vn hnh ca mt Trung tm/Phng ban Mc Medium: S c lm gin on mt hoc nhiu hot ng c nh hng nghim trng n vic vn hnh ca mt BU Mc L: S c ch nh hng n mt c nhn, khng nh hng n hot ng ca t chc Hnh ng khi c s c BMTT Ngay khi pht hin ra s kin/s c bo mt, thng bo ngay lp tc cho Cn b ph trch bo mt thng tin (ISMS Manager) b phn mnh hoc a ln eiso nh 1 NC/NX cn b lin quan x l.
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 14: m bo tnh lin mch kinh doanh Chnh sch qun l tnh lin mch kinh doanh: 14-cs/ISMS Quy trnh hng dn tnh lin mch kinh doanh: 14-qt/ISMS Hng dn tnh lin mch kinh doanh: 14-hd/ISMS
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 14. Qun l tnh lin mch kinh doanh Thit lp BCP ( Bussiness Continuity Plan) team Lp v th nghim k hoch (Business Continuity Plan) K hoch gy gin on lin quan ti AF, IT, AD. AF: lin quan ti h thng mng, phn mm k ton. IT: h thng my ch. AD: ha hon, test PCCC. Chnh sa k hoch khi cn thit.
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 15: s ph hp Chnh sch: 15-cs/ISMS Quy trnh nh gi ni b: 15-qt/ISMS Hng dn nh gi s ph hp v lut php: 15-hd/ISMS
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 15. Tnh ph hp Tin hnh nh gi ni b H thng bo mt thng tin nh k hng nm. nh gi s ph hp vi php lut: C Compliance Team: i din
Manager ca AD, AF, HR. Hp xem xt, updata danh sch lut hng nm
Internal Use
FPT-IS
3. Cc nhm kim sot chnh Nhm 16: Cc ti liu khc Cc tc nghip thng dng: 17-hd/ISMS Cc Quy nh i vi nhn vin
Internal Use
FPT-IS
3. Cc nhm kim sot chnh1. c v hiu chnh sch bo mt thng tin ca cng ty. 2. eo th nhn vin trong sut thi gian tr s. 3. Khng ti liu trn bn khi khng ch ngi, log my khi i ra ngoi.
4. Ct ton b ti liu mc M tr ln vo t c kha.5. Khng s dng phn mm khng bn quyn trn my tnh. 6. Khch n lin h cng tc ch c vo khu vc cng cng nh: phng hp, snh l tn Trng hp c bit khch vo ni lm vic, cn b
phi gp l tn lm th tc lm th tc bo lnh cho khch.7. Ti sn ca cng ty khi mang ra ngoi phi c ngh c ph duyt. 8. i password truy cp vo h thng thng tin ca cng ty vi nh k 6 thng/1 ln.
9. Phi thng bo cho ISMSman b phn v cc s kin bo mt thng tinhoc a ln eiso nh NC/NX cn b lin quan x l. 10. Tham gia o to v phng chy cha chy.
Internal Use
FPT-IS
Internal Use