企业信息安全合规认证 InfoSec Compliance (keep update)
目录
ISO 27000 family (international)
清单 https://download.****.net/download/strings_lei/12369414
ISO/IEC 27000:2018
Information security management systems - Overview and vocabulary (fifth edition)
ISO/IEC 27000 “provides an overview of information security management systems” (and hence the ISO27k standards), and “defines related terms” (i.e. a glossary that formally and explicitly defines many of the specialist terms as they are used in the ISO27k standards).
https://download.****.net/download/strings_lei/12369356
ISO/IEC 27001
ISO/IEC 27001:2005(old version)
Information security management systems — Requirements (first edition)
http://www.securitycn.net/img/uploadimg/20070924/183844756.pdf
ISO/IEC 27001:2013
Information security management systems — Requirements (second edition)
ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard). The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.
ISO/IEC 27001 does not formally mandate specific information security controls since the controls that are required vary markedly across the wide range of organizations adopting the standard. The information security controls from ISO/IEC 27002 are noted in annex A to ISO/IEC 27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information risks, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information risks, which is one vital part of the ISMS.
Furthermore, management may elect to avoid, share or accept information risks rather than mitigate them through controls - a risk treatment decision within the risk management process.
ISO/IEC 27002: 2013
Security techniques — Code of practice for information security controls (second edition)
ISO/IEC 27002 is a popular, internationally-recognized standard of good practice for information security. ISO/IEC 27002’s lineage stretches back more than 30 years to the precursors of British Standard BS 7799, published in 1995.
https://www.iso27001security.com/html/27002.html
ISMS implementation and certification process flowchart v4.1
SOX(US-SEC)/SOC
https://socauditservices.com/2017/03/28/soc-vs-sox/
SOX
Remember the Enron scandal? How about WorldCom and Tyco? These early-2000, high-profile financial disasters rattled investor trust and consumer confidence. SOX was created to ensure greater accountability and corporate governance by a public entity for its investors.
The Sarbanes-Oxley Act (SOX) was instituted in 2002 for the purpose of protecting shareholders (and the general public) from accounting fraud, miscalculated financial records and potentially harmful corporation disclosures and practices.
SOX is monitored by the US Securities and Exchange Commission (SEC) and impacts both the financial and IT departments of a corporation. While SOX compliance doesn’t tell you exactly how to run your record keeping, it does spell out what controls should be in place to provide accurate financial statements.
The Likely Users of SOX Include:
Publicly-traded companies
Wholly-owned subsidiaries of publicly-traded companies
Non-US-based, publicly-traded companies
Private companies preparing to go public (IPOs)
SOC
Service Organizational Control (SOC) audits are incredibly granular, internal control reports that provide a great deal of transparency for shareholders, investors and future auditors. Long story short, they make sure the information and data you store is accurate and protected at all times. Nothing gets through the cracks during a SOC audit.
SOC audits yield a robust report that can be used by other auditors. It covers all the bases, saves on audit time and cuts the costs of the project. As small business accountants, a SOC audit also gives us great comfort and confidence with our financial projects and planning. These reports boost shareholder confidence, minimize potential security breaches and significantly cuts waste throughout the organization’s procedures and processes.
- SOC 1 : An audit of internal controls over financial reporting. Think of it like this: if the service you perform provides a number that affects the financial status of your customer, this might apply to you.
- SOC 2: An audit over one, to all five, of the Trust Services Principles (TSP’s). What are the TSP’s? Security, Availability, Processing Integrity, Confidentiality, and Privacy. (This audit is typically very IT focused.)
- SOC 3: Similar to a SOC 2 audit, this covers IT controls related to Security, Availability, Processing Integrity, Confidentiality, and Privacy, but has less detail presented about internal processes and results of the auditors testing and is most generally used for marketing purposes.
-
SOC for Cybersecurity As digital security breaches continue to pop up around the world, this new SOC report focuses on highlighting an organization’s efforts to prevent, monitor and effectively handle any cyber security threats.
The Likely Users of SOC Services Include:
Healthcare & medical practices
Data centers
Banks & investment firms
Co-Location service providers
Tax service providers
Any organization that cannot afford a data breach
CPIS网络安全等级保护(China)
网络安全等级保护2.0标准体系解读
http://www.djbh.net/webdev/web/SafeProductAction.do?p=getBzgfZxbz&id=8a81825671429a6701715c98cfee000d
2007年到2017年,这期间使用等保1.0。为什么从2017年后叫做等保2.0了呢?原因是2017年6月1号,《中华人民共和国网络安全法》出台,它提到,国家实行等级安全保护制度,注意,这时候等级保护已经成为法律制度,不做等保就是违法。同时,第31条说,如果单位系统非常非常重要,称之为“关键信息基础设施”,那么这个系统做等保还不够,还要在等保的基础上做重点保护。
GDPR(Europe)
https://gdpr.eu/
Whole Regulation
Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organizations around the world.
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).