ISO/IEC 27040:2024 信息技术 安全技术 存储安全

标准编号：ISO/IEC 27040:2024

中文名称：信息技术 安全技术 存储安全

英文名称：Information technology — Security techniques — Storage security

发布日期：2024-01

标准范围

本文档提供了详细的技术要求和指导，说明组织如何通过采用经过充分验证的一致方法来规划、设计、记录和实施数据存储安全性，从而实现适当的风险缓解级别。存储安全适用于保护存储在信息和通信技术（ICT）系统中的数据以及通过与存储相关联的通信链路传输的数据。存储安全性包括设备和介质的安全性、与设备和介质、应用程序和服务相关的管理活动，以及在设备和介质的生命周期期间以及在使用结束或生命周期结束之后控制或监控用户活动。存储安全与拥有、操作或使用数据存储设备、介质和网络的任何人都相关。这包括高级经理、存储产品和服务的购买者以及其他非技术经理或用户，此外还包括对信息或存储安全、存储操作负有特定责任的经理和管理员，或者负责组织的整体安全计划和安全策略制定。它还与参与规划、设计和实施存储网络安全体系结构方面的任何人相关。本文档概述了存储安全概念和相关定义。它包括与典型存储方案和存储技术领域相关的威胁、设计和控制方面的要求和指导。此外，它还提供了对其他国际标准和技术报告的参考，这些标准和技术涉及可应用于存储安全的现有实践和技术。

This document provides detailed technical requirements and guidance on how organizations can achieve an appropriate level of risk mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. Storage security applies to the protection of data both while stored in information and communications technology (ICT) systems and while in transit across the communication links associated with storage. Storage security includes the security of devices and media, management activities related to the devices and media, applications and services, and controlling or monitoring user activities during the lifetime of devices and media, and after end of use or end of life.
Storage security is relevant to anyone involved in owning, operating, or using data storage devices, media, and networks. This includes senior managers, acquirers of storage products and services, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information or storage security, storage operation, or who are responsible for an organization’s overall security programme and security policy development. It is also relevant to anyone involved in the planning, design, and implementation of the architectural aspects of storage network security.
This document provides an overview of storage security concepts and related definitions. It includes requirements and guidance on the threats, design, and control aspects associated with typical storage scenarios and storage technology areas. In addition, it provides references to other international standards and technical reports that address existing practices and techniques that can be applied to storage security.

标准预览图