标签:
A security steering committee is responsible for making decisions on tactical and strategic security issues within the enterprise as a whole and should not be tied to one or more business units. The group should be made up of people from all over the organization so they can view risks and the effects of security decisions on individual departments and the organization as a whole. The CEO should head this committee, and the CFO, CIO, department managers, and chief internal auditor should all be on it.
安全指导委员会通盘考虑,就企业的战术和战略安全问题做出总体决策,而不应该和业务部门有过多关联。成员由来自组织机构所有部门的人员组成,以便能从各自部门和组织整体的角度看待安全风险和安全决策的影响。CEO应该领导该部门,CRO、CIO、部门经理和首席内部审计师应该参与其中。
This committee should meet at least quarterly and have a well-defined agenda.
至少每季度召开一次会议,并有明确的会议日程。
Some of the group’s responsibilities are as follows:
• Define the acceptable risk level for the organization.
• Develop security objectives and strategies.
• Determine priorities of security initiatives based on business needs.
• Review risk assessment and auditing reports.
• Monitor the business impact of security risks.
• Review major security breaches and incidents.
• Approve any major change to the security policy and program.
定义组织可接受的风险级别
开发安全目标和战略
基于业务需要决定安全活动的优先级
审查风险评估和审计报告
监控安全风险的业务影响
审查主要的安全违规和事件
批准安全策略和规划的主要变动
They should also have a clearly defined vision statement in place that is set up to work with and support the organizational intent of the business. The statement should be structured in a manner that provides support for the goals of confidentiality, integrity, and availability as they pertain to the business objectives of the organization. This in turn should be followed, or supported, by a mission statement that provides support and definition to the processes that will apply to the organization and allow it to reach its business goals.
应该有一个清晰定义的远景声明,以支持组织的业务目标。声明应该支持机密性、完整性、可用性目标,因为这些与组织的业务目标息息相关。任务声明也需要满足上述远景声明,任务声明是用于为定义过程提供支持,这些过程应用到组织后可以协助其达到业务目标。
The audit committee should be appointed by the board of directors to help it review and evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization.
审计委员会由董事会任命,帮助审查和评估公司内部运作、外部审计系统和财务报表的透明性和准确性,以保持投资者、客户和债权人继续对组织保持信心。
This committee is usually responsible for at least the following items:
• The integrity of the company’s financial statements and other financial information provided to stockholders and others
• The company’s system of internal controls
• The engagement and performance of the independent auditors
• The performance of the internal audit function
• Compliance with legal requirements, regulations, and company policies regarding ethical conduct
保证向股东和其他人提供的财务报表及其他财务信息的完整性
公司内部控制系统
独立审计员的雇用和表现
内部审计功能的表现
满足法律要求、规定、和有关道德的公司策略要求
The goal of this committee is to provide independent and open communications among the board of directors, the company’s management, the internal auditors, and external auditors. Financial statement integrity and reliability are crucial to every organization, and many times pressure from shareholders, management, investors, and the public can directly affect the objectivity and correctness of these financial documents. In the wake of high-profile corporate scandals, the audit committee’s role has shifted from just overseeing, monitoring, and advising company management to enforcing and ensuring accountability on the part of all individuals involved. This committee must take input from external and internal auditors and outside experts to help ensure the company’s internal control processes and financial reporting are taking place properly.
该委员会的目的是在董事会、公司管理层、内部审计和外部审计之间构建独立和开放的沟通渠道。财务报表的完成性和可信度对每个组织来说都非常关键,很多时候由于来自股东、管理层和公众的压力可能会影响这些财务文档的客观性和准确性。在发生备受关注的企业丑闻之后,审计委员会的角色已经从仅仅监督、监察和建议公司管理层转换为增强和保证所有人员的可问责性。该委员会还需要接受外部和内部的审计员以及外部专家的建议来帮助公司内部的控制过程和财务报表得到合适的处理。
The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classification of the data she is responsible for and alters that classification if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, defining security requirements per classification and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and defining user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. And the data owner will deal with security violations pertaining to the data she is responsible for protecting. The data owner, who obviously has enough on her plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.
数据所有者一般是管理层的一员,负责一个业务部门,对保护和使用数据的一个子集负有最终的责任。
数据所有者具有“应有的注意”职责,因此,如果由于任何疏忽行为导致数据讹误或泄露,那么他必须承担责任。数据所有者决定其负责的数据的分类,如果公司需要,那么还应改变数据的分类。他还负责确保实施必要的安全控制,定义每种分类的安全需求和备份需求,批准任何披露活动,保证应用适当的访问权限,以及定义用户访问准则。数据所有者有权准许访问请求,也可以选择将这一职权委托给业务部门经理。同时,数据所有者还要处理与其所负责数据有关的安全违规行为,以对数据进行保护。如果数据所有者工作繁忙,那么可以将数据保护机制的日常维护工作委托给数据看管员完成。
The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually filled by the IT or security department, and the duties include implementing and maintaining security controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data from backup media; retaining records of activity; and fulfilling the requirements specified in the company’s security policy, standards, and guidelines that pertain to information security and data protection.
数据看管员(也称为信息看管员)负责数据的保护与维护工作。这个角色通常由IT或安全部门员工担任,其职责包括:实施和维护安全控制措施、执行数据的常规备份、定期验证数据的完整性、从备份介质还原数据、保存活动记录,以及实现公司关于信息安全和数据保护的信息安全策略、标准和指南所指定的需求。
The system owner is responsible for one or more systems, each of which may hold and process data owned by different data owners. A system owner is responsible for integrating security considerations into application and system purchasing decisions and development projects. The system owner is responsible for ensuring that adequate security is being provided by the necessary controls, password management, remote access controls, operating system configurations, and so on. This role must ensure the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner.
系统所有者负责一个或多个系统,每个系统可能保存和处理不同数据所有者的数据。系统所有者负责将安全考虑与应用和系统采购决策以及项目开发结合起来。他还负责保证提供适当的安全,通过适当的控制、口令管理、远程访问控制、操作系统配置等等。这个角色必须保证脆弱性得到合适的评估,并将其报告给事故响应团队和数据所有者。
注:数据所有者问题
Each business unit should have a data owner who protects the unit’s most critical
information. The company’s policies must give the data owners the necessary
authority to carry out their tasks.
每个业务部门都应该设立数据所有者,其保护部门的最重要信息。公司的政策必须赋予所有者必要的权利以完成该项工作。
This is not a technical role, but rather a business role that must understand
the relationship between the unit’s success and the protection of this critical asset. Not all businesspeople understand this role, so they should be given the
necessary training.
这不是一个技术角色,而是一个业务角色,他必须理解部门的成功与关键资产保护之间的关系。并非所有的商业人员都理解这个角色,因此必须进行必要的培训。
The security administrator is responsible for implementing and maintaining specific security network devices and software in the enterprise. These controls commonly include firewalls, IDS, IPS, antimalware, security proxies, data loss prevention, etc. It is common for there to be delineation between the security administrator and the network administrator. The security administrator has the main focus of keeping the network secure, and the network administrator has the focus of keeping things up and running.
安全管理员负责实现和管理企业内特定的安全网络设备和软件。这些控制一般包括防火墙、IDS、IPS、反恶意软件、安全代理、数据损失防御等。这些在安全管理员和网络管理员都有所涉及。安全管理员集中于保持网络的安全,网络管理员集中于保持不宕机及运行。
A security administrator’s tasks commonly also include creating new system user accounts, implementing new security software, testing security patches and components, and issuing new passwords. The security administrator must make sure access rights given to users support the policies and data owner directives.
安全管理员的工作一般包括建立新的系统用户帐号、实现新的安全软件、测试安全补丁和组件、发放新口令。安全管理员必须保证给予用户的访问权限必须与政策和数据所有者的指示向适应。
The security analyst role works at a higher, more strategic level than the previously described roles and helps develop policies, standards, and guidelines, as well as set various baselines. Whereas the previous roles are “in the weeds” and focus on pieces and parts of the security program, a security analyst helps define the security program elements and follows through to ensure the elements are being carried out and practiced properly. This person works more at a design level than at an implementation level.
安全分析员的角色工作在比前述各角色更高、更加战略化的等级,其帮助开发策略、标准和指南,以及设立各项基线。前述各角色集中在安全规划的部分,安全分析员帮助指定安全规划要素,进一步保证这些要素得到正确的执行和实践。工作在设计层次而非实现层次。
Some applications are specific to individual business units—for example, the accounting department has accounting software, R&D has software for testing and development, and quality assurance uses some type of automated system. The application owners, usually the business unit managers, are responsible for dictating who can and cannot access their applications (subject to staying in compliance with the company’s security policies, of course).
Since each unit claims ownership of its specific applications, the application owner for each unit is responsible for the security of the unit’s applications. This includes testing, patching, performing change control on the programs, and making sure the right controls are in place to provide the necessary level of protection.
不同的业务部门有特定于该部门的软件。应用程序所有者一般是部门经理(管理员),他决定哪些人可以访问他们的软件,当然这种策略要服从公司的安全策略。
由于业务部门是应用程序的所有者,因此也需要负责该应用的安全事宜。包括测试、打补丁、变更控制、实施正确的访问控制以保证适当的保护级别。
The supervisor role, also called user manager, is ultimately responsible for all user activity and any assets created and owned by these users. For example, suppose Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that these employees understand their responsibilities with respect to security; making sure the employees’ account information is up-to-date; and informing the security administrator when an employee is fired, suspended, or transferred. Any change that pertains to an employee’s role within the company usually affects what access rights they should and should not have, so the user manager must inform the security administrator of these changes immediately.
又叫用户经理(管理员),负责:所有用户活动、用户建立并拥有的资产。
职责的例子:确保员工理解他们的安全职责;保证员工信息的更新;当员工被解雇、停职、调职时通知安全管理员。
Since the only thing that is constant is change, someone must make sure changes happen securely. The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software. This role must make certain that the change will not introduce any vulnerabilities, that it has been properly tested, and that it is properly rolled out. The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity. Or, a company can choose to just roll out the change and see what happens….
通过或拒绝关于网络、系统或软件的变更。需要确认变更没有引入脆弱性、进行了适当的测试、顺利的实施。变更控制分析员需要明白变更对安全、互操作、性能和成产效率产生的影响。
Having proper data structures, definitions, and organization is very important to a company. The data analyst is responsible for ensuring that data is stored in a way that makes the most sense to the company and the individuals who need to access and work with it. For example, payroll information should not be mixed with inventory information, the purchasing department needs to have a lot of its values in monetary terms, and the inventory system must follow a standardized naming scheme. The data analyst may be responsible for architecting a new system that will hold company information, or advise in the purchase of a product that will do so.
The data analyst works with the data owners to help ensure that the structures set up coincide with and support the company’s business objectives.
合适的数据结构、定义和组织非常重要。数据分析员负责保证数据以最大便利于公司和需要访问数据的个人的方式存储。数据分析员可能负责构建一套新的系统来保存公司信息,或者建议购买一套。
数据分析员和数据所有者合作来保证数据结构的建立以及符合公司的业务目标。
Ever heard the popular mantra, “Security is not a product, it’s a process”? The statement is very true. Security should be considered and treated like any another business process—not as its own island, nor like a redheaded stepchild with cooties. (The author is a redheaded stepchild, but currently has no cooties.)
All organizations have many processes: how to take orders from customers; how to make widgets to fulfill these orders; how to ship the widgets to the customers; how to collect from customers when they don’t pay their bills; and so on. An organization could not function properly without well-defined processes.
The process owner is responsible for properly defining, improving upon, and monitoring these processes. A process owner is not necessarily tied to one business unit or application. Complex processes involve many variables that can span different departments, technologies, and data types.
“安全不是产品而是过程”
如果没有良好定义的过程,组织就无法正常运转。
过程拥有者负责合适的定义、改进、监控这些过程。他并不与某一个业务部门或应用关联。复杂的过程可能涉及不同的部门、技术和数据类型。
Every vendor you talk to will tell you they are the right solution provider for whatever ails you. In truth, several different types of solution providers exist because the world is full of different problems. This role is called upon when a business has a problem or requires a process to be improved upon. For example, if Company A needs a solution that supports digitally signed e-mails and an authentication framework for employees, it would turn to a public key infrastructure (PKI) solution provider. A solution provider works with the business unit managers, data owners, and senior management to develop and deploy a solution to reduce the company’s pain points.
解决方案提供商与业务部门经理、数据所有者、高级管理者一起开发和部署解决方案来降低公司的“痛点”。
The user is any individual who routinely uses the data for work-related tasks. The user must have the necessary level of access to the data to perform the duties within their position and is responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others.
用户是例行使用数据以完成工作任务的个人。用户必须具有必要的数据访问等级以便完成工作,同时也有责任遵守操作安全过程来保证数据的CIA属性。
Who’s responsible for explaining business requirements to vendors and wading through(艰难的做完) their rhetoric(花言巧语) to see if the product is right for the company? Who is responsible for ensuring compliance to license agreements? Who translates business requirements into objectives and specifications for the developer of a product or solution? Who decides if the company really needs to upgrade their operating system version every time Microsoft wants to make more money? That would be the product line manager.
This role must understand business drivers, business processes, and the technology that is required to support them. The product line manager evaluates different products in the market, works with vendors, understands different options a company can take, and advises management and business units on the proper solutions needed to meet their goals.
这个角色需要理解业务驱动力、业务过程,以及两者所需要的技术。他需要评估市场上不同的产品,与厂商打交道,理解公司能采取的选择,建议管理层和业务部门选择合适的解决方案以满足目标。
The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations. Organizations can have internal auditors and/or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met. In an earlier section we covered CobiT, which is a model that most information security auditors follow when evaluating a security program.
While many security professionals fear and dread auditors, they can be valuable tools in ensuring the overall security of the organization. Their goal is to find the things you have missed and help you understand how to fix the problem.
审计员周期性的前来确保你做了你应该做的事情。他们保证采取并安全的维护了正确的控制。审计员的目的是确保组织符合自身的策略和法律法规的要求。有内部审计员和外部审计员。外部审计员一般代表法律机构来保证法律法规得以实施。CobiT是许多安全审计员会采取的规范。
虽然很多人害怕审计员,但他们的工作很有价值。他们的目的是发现你忽略的事情并且帮助你理解如何解决问题。
Most organizations will not have all the roles previously listed, but what is important is to build an organizational structure that contains the necessary roles and map the correct security responsibilities to them. This structure includes clear definitions of responsibilities, lines of authority and communication, and enforcement capabilities. A clear-cut structure takes the mystery out of who does what and how things are handled in different situations.
不一定都有上述列出的觉得,关键是建议一个组织化的结构,包括必要的角色并且将安全职责映射到角色上。这个结构包括清晰的职责定义、授权和沟通的联络线、实施的能力。一个清晰定义的结构可以明确在不同的情况中谁应该做什么以及如何做。
Many facets of the responsibilities of personnel fall under management’s umbrella, and
several facets have a direct correlation to the overall security of the environment.
人员需要管理
Although society has evolved to be extremely dependent upon technology in the workplace, people are still the key ingredient to a successful company. But in security circles, people are often the weakest link. Either accidentally through mistakes or lack of training, or intentionally through fraud and malicious intent, personnel cause more serious and hard-to-detect security issues than hacker attacks, outside espionage, or equipment failure. Although the future actions of individuals cannot be predicted, it is possible to minimize the risks by implementing preventive measures. These include hiring the most qualified individuals, performing background checks, using detailed
job descriptions, providing necessary training, enforcing strict access controls, and terminating individuals in a way that protects all parties involved.
人员是公司成功的关键,但在安全环境中,人员通常是最弱的一环。出于无意或无意的目的,用户可能会带来更严重、更难以检测的错误,相比较于黑客、外部间谍和设备故障。虽然用户的行为无法预测,但可以通过预防措施来将风险最小化。包括雇佣最靠谱的人、进行背景调查、详细的工作说明、必要的培训、严格的访问控制、辞退人员是要保护好各相关方。
Several items can be put into place to reduce the possibilities of fraud, sabotage(破坏), misuse of information, theft, and other security compromises. Separation of duties makes sure that one individual cannot complete a critical task by herself. In the movies, when a submarine captain needs to launch a nuclear torpedo to blow up the enemy and save civilization as we know it, the launch usually requires three codes to be entered into the launching mechanism by three different senior crewmembers. This is an example of separation of duties, and it ensures that the captain cannot complete such an important and terrifying task all by himself.
职责分离保证一个人不能独立完成一项完整的工作。
Separation of duties is a preventative administrative control put into place to reduce the potential of fraud. For example, an employee cannot complete a critical financial transaction by herself. She will need to have her supervisor’s written approval before the transaction can be completed.
职责分离是一项预防性的管理控制措施。
In an organization that practices separation of duties, collusion must take place for fraud to be committed. Collusion means that at least two people are working together to cause some type of destruction or fraud. In our example, the employee and her supervisor must be participating in the fraudulent activity to make it happen.
如果实行了职责分离,欺诈行为需要进行合谋。
Two variations of separation of duties are split knowledge and dual control. In both cases, two or more individuals are authorized and required to perform a duty or task. In the case of split knowledge, no one person knows or has all the details to perform a task. For example, two managers might be required to open a bank vault, with each only knowing part of the combination. In the case of dual control, two individuals are again authorized to perform a task, but both must be available and active in their participation to complete the task or mission. For example, two officers must perform an identical key-turn in a nuclear missile submarine, each out of reach of the other, to launch a missile. The control here is that no one person has the capability of launching a missile, because they cannot reach to turn both keys at the same time.
职责分离的两个变形是知识分割和双重控制。
Rotation of duties (rotation of assignments) is an administrative detective control that can be put into place to uncover fraudulent activities. No one person should stay in one position for a long time because they may end up having too much control over a segment of the business. Such total control could result in fraud or the misuse of resources. Employees should be moved into different roles with the idea that they may be able to detect suspicious activity carried out by the previous employee carrying out that position. This type of control is commonly implemented in financial institutions.
岗位轮换是检测型管理控制,可以用来发现欺诈行为。一般在金融机构使用。
Employees in sensitive areas should be forced to take their vacations, which is known as a mandatory vacation. While they are on vacation, other individuals fill their positions and thus can usually detect any fraudulent errors or activities. Two of the many ways to detect fraud or inappropriate activities would be the discovery of activity on someone’s user account while they’re supposed to be away on vacation, or if a specific problem stopped while someone was away and not active on the network. These anomalies are worthy of investigation. Employees who carry out fraudulent activities commonly do not take vacations because they do not want anyone to figure out what they are doing behind the scenes. This is why they must be forced to be away from the organization for a period of time, usually two weeks.
在敏感领域工作的人员应该背强制休假。两个检测欺诈或不适当行为的方式是:当某人休假时,检测他的帐号;当某人不在线时,某个奇怪的问题不再发生。
Key Terms 关键术语
• Data owner:Individual responsible for the protection and classification of a specific data set.
• Data custodian:Individual responsible for implementing and maintaining security controls to meet security requirements outlined by data owner.
• Separation of duties:Preventive administrative control used to ensure one person cannot carry out a critical task alone.
• Collusion:Two or more people working together to carry out fraudulent activities.
• Rotation of duties:Detective administrative control used to uncover potential fraudulent activities.
• Mandatory vacation:Detective administrative control used to uncover potential fraudulent activities by requiring a person to be away from the organization for a period of time.
数据所有者:负责保护和分类特定数据集的人。
数据看管员:负责实现和维护安全控制以满足数据所有者的安全需求。
职责分离:预防性管理控制,用来保证某人不能独立完成某项工作。
合谋:两个或多个人一起进行欺诈活动。
岗位轮换:检测型管理控制,用来发现潜在的欺诈行为。
强制休假:检测型管理控制,通过要求某人定期离开组织以发现潜在的欺诈行为。
Depending on the position to be filled, a level of screening should be done by human resources to ensure the company hires the right individual for the right job. Skills should be tested and evaluated, and the caliber(才干) and character of the individual should be examined. Joe might be the best programmer in the state, but if someone looks into his past and finds out he served prison time because he continually flashes old ladies in parks, the hiring manager might not be so eager to bring Joe into the organization.
为了满足岗位需求,人力资源部门应进行选拔。技能需要测试和评估,才干和品质要检查。
Nondisclosure agreements must be developed and signed by new employees to protect the company and its sensitive information. Any conflicts of interest must be addressed, and there should be different agreements and precautions taken with temporary and contract employees.
新员工要签署保密协议。临时工和合同工应采取不同的协议和防范措施。
References should be checked, military records reviewed, education verified, and if necessary, a drug test should be administered. Many times, important personal behaviors can be concealed, and that is why hiring practices now include scenario questions, personality tests, and observations of the individual, instead of just looking at a person’s work history. When a person is hired, he is bringing his skills and whatever other baggage he carries. A company can reduce its heartache pertaining to personnel by first conducting useful and careful hiring practices.
因为应聘者可能会隐瞒一些事情,因此要进行各项检查确认。
The goal is to hire the “right person” and not just hire a person for “right now.” Employees represent an investment on the part of the organization, and by taking the time and hiring the right people for the jobs, the organization will be able to maximize their investment and achieve a better return.
目的是招聘到“正确的人”而非“现在正确”的人。雇员其实也是组织投资的一部分,花费一部分时间招聘到合适的人,组织可以最大化其投资收益比。
A more detailed background check can reveal some interesting information. Things like unexplained gaps in employment history, the validity and actual status of professional certifications, criminal records, driving records, job titles that have been misrepresented, credit histories, unfriendly terminations, appearances on suspected terrorist watch lists, and even real reasons for having left previous jobs can all be determined through the use of background checks. This has real benefit to the employer and the organization because it serves as the first line of defense for the organization against being attacked from within. Any negative information that can be found in these areas could be indicators of potential problems that the potential employee could create for the company at a later date. Take the credit report for instance. On the surface, this may seem to be something the organization doesn’t need to know about, but if the report indicates the potential employee has a poor credit standing and a history of financial problems, it could mean you don’t want to place them in charge of the organization’s accounting, or even the petty cash.
进行详尽的背景调查可以获取很多有意思的事情,这对组织十分重要,因为这是防止其收到内部攻击的第一道防线。负面的消息表示在日后可能会给公司带来麻烦。
Ultimately, the goal here is to achieve several different things at the same time by using a background check. You’re trying to mitigate risk, lower hiring costs, and also lower the turnover rate for employees. All this is being done at the same time you are trying to protect your existing customers and employees from someone gaining employment in your organization who could potentially conduct malicious and dishonest actions that could harm you, your employees, and your customers as well as the general public. In many cases, it is also harder to go back and conduct background checks after the individual has been hired and is working. This is because there will need to be a specific cause or reason for conducting this kind of investigation, and if any employee moves to a position of greater security sensitivity or potential risk, a follow-up investigation should be considered.
通过背景调查可以同时达到三个目的:降低风险、降低招聘成本、降低人员流动率。一旦雇佣了某人,再进行调查就需要有个合适的理由。如果一个人被调到一个更加敏感和潜在风险的职位时,可以对其进行背景调查。
Possible background check criteria could include:
• A Social Security number trace 社会安全号追踪
• A county/state criminal check 国家/州犯罪调查
• A federal criminal check 联邦犯罪调查
• A sexual offender registry check 性侵害犯罪调查
• Employment verification 就业记录核查
• Education verification 交易记录核查
• Professional reference verification 职业介绍材料核查
• An immigration check 移民调查
• Professional license/certification verification 职业许可/认证调查
• Credit report 信用报告
• Drug screening 药物筛查
Because terminations can happen for a variety of reasons, and terminated people have different reactions, companies should have a specific set of procedures to follow with every termination. For example:
解雇的原因各种各样,每个人又有不同的反映,公司应有固定的过程来应对每一种解雇。
• The employee must leave the facility immediately under the supervision of a manager or security guard.
• The employee must surrender any identification badges or keys, complete an exit interview, and return company supplies.
• That user’s accounts and passwords should be disabled or changed immediately.
•雇员必须在经理或保安的监督下立即离开
•雇员必须交还认证徽章或钥匙,完成离职谈话,归还公司供应品。
•用户账户和口令应被禁用或立即更改。
It seems harsh and cold when this actually takes place, but too many companies have been hurt by vengeful(报复的) employees who have lashed out at the company when their positions were revoked for one reason or another. If an employee is disgruntled(不满的) in any way, or the termination is unfriendly, that employee’s accounts should be disabled right away, and all passwords on all systems changed.
看起来似乎比较严酷和不近人情,但是出现太多对被解雇不满而进行报复的案例。如果雇员被解雇时不满,他的帐号应该立即禁用,所有系统的所有口令都立即进行更改。
For an organization to achieve the desired results of its security program, it must communicate the what, how, and why of security to its employees. Security-awareness training should be comprehensive, tailored(定做的) for specific groups, and organization-wide. It should repeat the most important messages in different formats; be kept up-to-date; be entertaining, positive, and humorous; be simple to understand; and—most important—be supported by senior management. Management must allocate the resources for this activity and enforce its attendance within the organization.
要使得安全规划达到目的,需要就what, how, and why of security对员工进行沟通。安全意识培训要针对特定团体综合的、定做的,并在全组织内部实施。应该用不同的格式对重要信息进行重复。要得到高层管理者的支持,管理者可以为活动分配资源并保证出勤率。
The goal is for each employee to understand the importance of security to the company as a whole and to each individual. Expected responsibilities and acceptable behaviors must be clarified, and noncompliance repercussions, which could range from a warning to dismissal, must be explained before being invoked. Security-awareness training is performed to modify employees’ behavior and attitude toward security. This can best be achieved through a formalized process of security-awareness training.
目的是使每一个员工明白安全对于公司和个人的重要性。期望的责任和可接受的行为必须清晰,违背的后果必须明确。安全意识培训用来修正员工对待安全的行为和态度,这最好通过正式的安全意识培训过程来获取。
Because security is a topic that can span many different aspects of an organization, it can be difficult to communicate the correct information to the right individuals. By using a formalized process for security-awareness training, you can establish a method that will provide you with the best results for making sure security requirements are presented to the right people in an organization. This way you can make sure everyone understands what is outlined in the organization’s security program, why it is important, and how it fits into the individual’s role in the organization. The higher levels of training may be more general and deal with broader concepts and goals, and as it moves down to specific jobs and tasks, the training will become more situation-specific as it directly applies to certain positions within the company.
因为安全设计组织许多不同方面,很难与人员进行沟通。通过正式的培训过程,可以确定一种提供最佳结果的方法,确保针对组织中正确的人安全需求被满足。这种方式可以保证每个人理解组织安全规程列出了什么,为什么它是重要的,如何与组织中个人的角色相对应。高级别的培训可能更为全面,专注于更广泛的概念和目标,越往具体的工作和任务下沉,培训会变得更加具体化,因为它直接应用于公司的特定职位。
A security-awareness program is typically created for at least three types of audiences: management, staff, and technical employees. Each type of awareness training must be geared toward the individual audience to ensure each group understands its particular responsibilities, liabilities, and expectations. If technical security training were given to senior management, their eyes would glaze over as soon as protocols and firewalls were mentioned. On the flip side(另一方面), if legal ramifications, company liability issues pertaining to protecting data, and shareholders’ expectations were discussed with the IT group, they would quickly turn to their smart phone and start tweeting, browsing the Internet, or texting their friends.
安全意识培训有三类受众:管理层、职员和技术人员。每一类培训要定制化以便每类人员都理解自己的责任、义务和期望。
Members of management would benefit the most from a short, focused security awareness orientation that discusses corporate assets and financial gains and losses pertaining to security. They need to know how stock prices can be negatively affected by compromises, understand possible threats and their outcomes, and know why security must be integrated into the environment the same way as other business processes. Because members of management must lead the rest of the company in support of security, they must gain the right mindset about its importance.
管理层通过一个短期的、集中的安全意识培训,讨论安全相关的公司资产和金融损益,会受益很多。他们需要知道安全危害会对公司股价带来负面影响,理解可能的威胁以及其后果,知道为什么安全需要像其他业务过程一样集成到环境中。因为管理成员需要带领公司其他人支持安全工作,他们必须对安全的重要性有正确的认识。
Mid-management would benefit from a more detailed explanation of the policies, procedures, standards, and guidelines and how they map to the individual departments for which they are responsible. Middle managers should be taught why their support for their specific departments is critical and what their level of responsibility is for ensuring that employees practice safe computing activities. They should also be shown how the consequences of noncompliance by individuals who report to them can affect the company as a whole and how they, as managers, may have to answer for such indiscretions.
中层管理者可从详细的有关策略、措施、过程、标准和指南以及如何将他们映射到自己负责的部门中等知识中受益。中层管理者应被告知他们的支持对于所在部门是非常重要的,他们也负有确保员工进行了安全的计算机活动。他们也应被说明下属的不服从可能对公司整体产生的后果,以及他们必须承担的责任。
The technical departments must receive a different presentation that aligns more to their daily tasks. They should receive a more in-depth training to discuss technical configurations, incident handling, and recognizing different types of security compromises.
技术部门需要与日常工作更为紧密相关的培训。他们需要更为深入的有关技术配置、事件处理和识别不同种类的安全威胁的培训。
It is usually best to have each employee sign a document indicating they have heard and understand all the security topics discussed, and that they also understand the ramifications of noncompliance. This reinforces the policies’ importance to the employee and also provides evidence down the road if the employee claims they were never told of these expectations. Awareness training should happen during the hiring process and at least annually after that. Attendance of training should also be integrated into employment performance reports.
最好要求每个员工都签署一个文档,表明自己获知并且理解所有讨论到的安全主题,并且明白违背的后果。这会增强对策略重要性的认识,以及在日后员工称为被告知这些期望时提供证据。安全意识培训需要在招聘过程中进行,并至少每年进行一次。培训的出勤率也要与绩效报告结合起来。
Various methods should be employed to reinforce the concepts of security awareness. Things like banners, employee handbooks, and even posters can be used as ways to remind employees about their duties and the necessities of good security practices.
应采取不同的方法来加强安全意识。条幅、小册子、海报等。
Some roles within the organization need hands-on experience and skill, meaning that the hiring manager should be looking for specific industry certifications. Some positions require more of a holistic and foundational understanding of concepts or a business background, and in those cases a degree may be required. Table 2-12 provides more information on the differences between awareness, training, and education.
一些组织内的角色需要实践的经验和技能,招聘经理需要寻找特定的行业认证的人。一些职位需要对概念或业务背景有整体和基础的理解,则可能需要学位。下表给出了意识、培训和教育的区别。
|
Awareness |
Training |
Education |
|
|
Attribute |
“What” |
“How” |
“Why” |
|
Level |
Information |
Knowledge |
Insight |
|
Learning objective |
Recognition and retention |
Skill |
Understanding |
|
Example teaching method |
Media • Videos •Newsletters •Posters |
Practical Instruction • Lecture and/or demo •Case study •Hands-on practice |
Theoretical Instruction • Seminar and discussion •Reading and study •Research |
|
Test measure |
True/False, multiple choice (identify learning) |
Problem solving—i.e. recognition and resolution (apply learning) |
Essay (interpret learning) |
|
Impact timeframe |
Short-term |
Intermediate |
Long-term |
An organization may be following many of the items laid out in this chapter: building a security program, integrating it into their business architecture, developing a risk management program, documenting the different aspects of the security program, performing data protection, and training their staff. But how do we know we are doing it all correctly and on an ongoing basis? This is where security governance comes into play. Security governance is a framework that allows for the security goals of an organization to be set and expressed by senior management, communicated throughout the different levels of the organization, grant power to the entities needed to implement and enforce security, and provide a way to verify the performance of these necessary security activities. Not only does senior management need to set the direction of security, it needs a way to be able to view and understand how their directives are being met or not being met.
组织可能遵循了本章列出的很多项:建立了安全规划、将其综合进业务架构、开发了风险管理规程、将安全规程的不同方面进行了文档化、执行了数据保护、培训了团队。但是我们怎么知道做的是否正确并且在正确的前行道路上呢?这就是安全治理所要解决的问题。安全治理是一个框架,它允许高级管理层设置组织的安全目标并且表达出来、在组织的各层级间进行沟通、授予需要实现和加强安全的实体以权限、并且提供一种验证这些安全活动有效性的方法。不单需要高管设置安全方向,还要有一种方式可以查看和理解他们的方向如何被满足或者未被满足。
If a board of directors and CEO demand that security be integrated properly at all levels of the organization, how do they know it is really happening? Oversight(监督) mechanisms must be developed and integrated so that the people who are ultimately responsible for an organization are constantly and consistently updated on the overall health and security posture of the organization. This happens through properly defined communication channels, standardized reporting methods, and performance-based metrics.
如果董事会和CEO要求安全要适当的与组织的所有层级相结合,他们怎么知道真的这么做了呢?需要开发并集成监督机制,这样最终负责组织安全的人才会持续不断的更新组织的整体健康和安全态势。这些要通过适当定义的沟通渠道、标准化的报告方法、基于表现的考核指标等才能达到。
Let’s compare two companies. Company A has an effective security governance program in place and Company B does not. Now, to the untrained eye it would seem as though Companies A and B are equal in their security practices because they both have security policies, procedures, standards, the same security technology controls (firewalls, IDSs, identity management, and so on), security roles are defined, and security awareness is in place. You may think, “Man, these two companies are on the ball and quite evolved in their security programs.” But if you look closer, you will see some critical differences (listed in Table 2-13).
有两个公司来做比较,A公司有有效的安全治理规划,B公司没有。表面上看二者都差不多,都有安全策略、过程、标准和相同的安全技术控制(防火墙、IDS、身份管理等)、定义了安全角色、也进行了安全意识培训。猛一看二者差不多,仔细一看差别大,见下表:
|
Company A |
Company B |
|
Board members understand that information security is critical to the company and demand to be updated quarterly on security performance and breaches. 董事会成员明白安全对于公司的重要性,并要求每季度更新安全表现和违规报告。 |
Board members do not understand that information security is in their realm of responsibility and focus solely on corporate governance and profits 董事会成员不知道安全是他们的职责范围,仅仅关注与公司治理和利润。 |
|
CEO, CFO, CIO, and business unit managers participate in a risk management committee that meets each month, and information security is always one topic on the agenda to review. CEO, CFO, CIO和业务部门经理参加风险管理委员会,每月开会,信息安全通常是会议日程之一。 |
CEO, CFO, and business unit managers feel as though information security is the responsibility of the CIO, CISO, and IT department and do not get involved. CEO, CFO和业务部门经理认为信息安全是CIO, CISO和IT部门的事情。 |
|
Executive management sets an acceptable risk level that is the basis for the company’s security policies and all security activities. 执行管理层设置一个可接受的风险级别,并作为公司安全策略和所有安全活动的基准。 |
The CISO took some boilerplate security policies and inserted his company’s name and had the CEO sign them. CISO找一些安全策略的模板,写上自己公司的名字找CEO签署并执行。 |
|
Executive management holds business unit managers responsible for carrying out risk management activities for their specific business units. 执行管理层要求业务部门经理对其部门的风险管理活动负责。 |
All security activity takes place within the security department; thus, security works within a silo and is not integrated throughout the organization. 所有的安全活动都局限于安全部门,因此,安全工作很独立,并未与组织进行整合。 |
|
Critical business processes are documented along with the risks that are inherent at the different steps within the business processes. 在业务流程的不同步骤中,关键的业务过程同风险一起被文档化 |
Business processes are not documented and not analyzed for potential risks that can affect operations, productivity, and profitability 业务过程没有文档化,且没有分析其可能影响运营、生产率和盈利能力的潜在风险 |
|
Employees are held accountable for any security breaches they participate in, either maliciously or accidentally. 雇员参与的违规被问责,无论是有意的还是无意的。 |
Policies and standards are developed, but no enforcement or accountability practices have been envisioned or deployed. 开发了策略和标准,但不想也没有进行强制执行或问责。 |
|
Security products, managed services, and consultants are purchased and deployed in an informed manner. They are also constantly reviewed to ensure they are cost-effective. 采购和部署安全产品、管理服务和顾问咨询以正式的形式进行。并且持续的检查以确保投资收益。 |
Security products, managed services, and consultants are purchased and deployed without any real research or performance metrics to determine the return on investment or effectiveness. 采购和部署安全产品、管理服务和顾问咨询没有经任何的实际调研或没有表现指标来确定投资的回报。 |
|
The organization is continuing to review its processes, including security, with the goal of continued improvement. 组织持续审核自身包括安全在内的各过程,以达到持续改进的目的。 |
The organization does not analyze its performance for improvement, but continually marches forward and makes similar mistakes over and over again. 组织不分析它的表现以改进,而是不断在错误的路上一再犯错。 |
Does the organization you work for look like Company A or Company B? Most organizations today have many of the pieces and parts to a security program (policies, standards, firewalls, security team, IDS, and so on), but management may not be truly involved, and security has not permeated(渗透) throughout the organization. Some organizations rely just on technology and isolate all security responsibilities within the IT group. If security were just a technology issue, then this security team could properly install, configure, and maintain the products, and the company would get a gold star and pass the audit with flying colors. But that is not how the world of information security works today. It is much more than just technological solutions. Security must be utilized throughout the organization, and having several points of responsibility and accountability is critical. Security governance is a coherent system of integrated processes that helps to ensure consistent oversight, accountability, and compliance. It is a structure that we should put in place to make sure that our efforts are streamlined and effective and that nothing is being missed.
当前的大部分公司都拥有安全规范的许多部分(策略、标准、防火墙、安全团队、IDS等),但是管理并没有真正的执行,安全也没有渗透进整个组织。一些组织仅依赖技术,将安全责任全部抛给IT团队。如果安全只是技术问题,安全团队仅仅安装、配置、管理产品,公司就能高分通过审计。但是这不是信息安全的真实工作方式。安全并不仅仅是技术的解决方案。安全必须贯彻整个组织,一些点的职责和问责是十分关键的。安全治理是一个过程集成的连贯系统,可帮助保证连续的监督、可问责性和合规性。它是一个我们必须落实的结构以确保我们的努力是顺利、高效并且没有遗漏的。
We really can’t just build a security program, call it good, and go home. We need a way to assess the effectiveness of our work, identify deficiencies(不足), and prioritize the things that still need work. We need a way to facilitate decision making, performance improvement, and accountability through collection, analysis, and reporting of the necessary information. As the saying goes, “You can’t manage something you can’t measure.” In security there are many items that need to be measured so that performance is properly understood. We need to know how effective and efficient our security controls are to not only make sure that assets are properly protected, but also to ensure that we are being financially responsible in our budgetary efforts.
不能建立完安全规划后就万事大吉,回家睡觉。我们需要一种方式来评估工作的有效性、找到不足、为下一步工作排出优先级。我们需要一种方式,通过收集、分析和报告必要的信息,来帮助做出决定、表现改进和问责。正如俗语所说“你不能管理无法度量的东西”。安全中有许多项需要被衡量以便正确的理解安全工作的作用。我们需要知道安全控制的有效性和效率,以便确保资产被适当的保护,以及投资的有效性。
There are different methodologies that can be followed when it comes to developing security metrics, but no matter what model is followed, some things are critical across the board. Strong management support is necessary, because while it might seem that developing ways of counting things is not overly complex, the actual implementation and use of a metric and measuring system can be quite an undertaking. The metrics have to be developed, adopted, integrated into many different existing and new processes, interpreted, and used in decision-making efforts. Management needs to be on board if this effort is going to be successful.
开发安全度量时有很多方法,但所有方法中都有一些共同的重要点。
首先是强有力的管理层支持,开发安全度量看起来很简单,但实际开发并使用其来评估系统的过程是非常艰巨的。度量必须被开发、采用并集成到现存的、新的不同过程,以及应用到决策中。因此,要取得成功,管理层的支持必不可少。
Another requirement is that there has to be established policies, procedures, and standards to measure against. How can you measure policy compliance when there are no policies in place? A full security program needs to be developed and matured before attempting to measure its pieces and parts.
另一个需求是已经有建立好的策略、过程和标准以供度量。如果没有策略,如何评估策略的合乎度呢?在对安全规划的任何部门进行度量前,必须先要建立并采取一个完整的安全规划。
Measurement activities need to provide quantifiable performance-based data that is repeatable, reliable, and produces results that are meaningful. Measurement will need to happen on a continuous basis, so the data collection methods must be repeatable. The same type of data must be continuously gathered and compared so that improvement or a drop in improvement can be identified. The data collection may come from parsing system logs, incident response reports, audit findings, surveys(调查), or risk assessments. The measurement results must also be meaningful for the intended audience. An executive will want data portrayed in a method that allows him to understand the health of the security program quickly and in terms he is used to. This can be a heat map, graph, pie chart, or scorecard. A balanced scorecard, shown in Figure 2-15, is a traditional strategic tool used for performance measurement in the business world. The goal is to present the most relevant information quickly and easily. Measurements are compared with set target values so if performance deviates from expectations, they can be conveyed in a simplistic and straightforward manner.
度量活动需要有基于表现的定量数据,这些数据必须是可重复的、可靠的、能产生有意义结果的。度量过程是连续的,因此数据收集方法必须是可重复的。相同类型的数据必须被持续的收集和比较以便鉴别出是提升了还是未提升。数据收集可能来自于系统日志解析、事件响应报告、审计发现、调查和风险评估。度量结果必须对其受众是有意义的。经理期望数据以便于他迅速了解安全规划的健康程度的方式呈现,并且是以他所熟悉的方式。可能是热度图、曲线图、饼图或打分卡。平衡打分卡是一个传统的战略工具,在商业界中进行表现度量。目标是迅速且容易的呈现最相关的信息。度量结果和期望值进行对比,因此如果表现偏离了期望,可以以简单和直观的方式呈现出来。
If the audience for the measurement values are not executives, but instead security administrators, then the results are presented in a manner that is easiest for them to understand and use.
如果受众是安全管理员,结果呈现需要换一种风格。
There are industry best practices that can be used to guide the development of a security metric and measurement system. The international standard is ISO/IEC 27004:2009,which is used to assess the effectiveness of an ISMS and the controls that make up the security program as outlined in ISO/IEC 27001. So ISO/IEC 27001 tells you how to build a security program and then ISO/IEC 27004 tells you how to measure it. The NIST 800-55publication also covers performance measuring for information security, but has a U.S. government slant. The ISO standard and NIST approaches to metric development are similar, but have some differences. The ISO standard breaks individual metrics down into base measures, derived measures, and then indicator values. The NIST approach is illustrated in Figure 2-16, which breaks metrics down into implementation, effectiveness/efficiency, and impact values.
已有业界最佳实践可以用来指导安全度量和测量系统的开发。国际标准是ISO/IEC 27004:2009,它用来评估ISMS以及ISO/IEC 27001列出的用于安全规划所需的控制的有效性。因此可以说,ISO/IEC 27001告诉你如何建立安全规划,ISO/IEC 27004告诉你如何度量它。NIST 800-55也涉及了信息安全的表现度量,但它更多的是与US政府相关。ISO和NIST方法有很多相似之处,但也有一些不同。ISO将单独的度量分解为基本度量、衍生度量、指标值。NIST方法在下图中给出,将度量分解为实现、有效性/效率、影响值。
If your organization has the goal of becoming ISO/IEC 27000 certified, then you should follow ISO/IEC 27004:2009. If your organization is governmental or a government contracting company, then following the NIST standard would make more sense. What is important is consistency. For metrics to be used in a successful manner, they have to be standardized and have a direct relationship to each other. For example, if an organization used a rating system of 1–10 to measure incident response processes and a rating system of High, Medium, and Low to measure malware infection protection mechanisms, these metrics could not be integrated easily. An organization needs to establish the metric value types it will use and implement them in a standardized method across the enterprise. Measurement processes need to be thought through at a detailed level before attempting implementation. Table 2-14 illustrates a metric template that can be used to track incident response performance levels.
如果想通过ISO/IEC 27000认证,就遵循ISO/IEC 27004:2009,如果你的组织与政府有关,遵循NIST更有意义。度量最为重要的是连续性。如果想要度量以成功的方式进行,必须对其进行标准化,各部分之间也要有直接的关系。如果一部分用0-10表示,一部分又用高、中、低来表示,那就很麻烦。组织需要建立度量值类型,将其在全公司以标准化的方式使用和实现。度量过程在实现之前要考虑到非常细节的层次。下表是一个示例:
A security program should address issues from a strategic, tactical, and operational view, as shown in Figure 2-17. The security program should be integrated at every level of the enterprise’s architecture. Security management embodies the administrative and procedural activities necessary to support and protect information and company assets throughout the enterprise. It includes development and enforcement of security policies and their supporting mechanisms: procedures, standards, baselines, and guidelines. It encompasses enterprise security development, risk management, proper countermeasure selection and implementation, governance, and performance measurement.
安全规划需要解决战略、战术和运营视角的各种问题,如下图所示。安全规划应该与企业架构的各个层面进行综合。安全管理体现在必要的管理的和过程化的活动上,这些活动用来支持和保护企业的信息和资产。它包括安全策略和其支持机制(过程、标准、基线、指南)的开发和执行,涵盖了企业安全开发、风险管理、合适的对策选择和实现、治理和表现度量。
Security is a business issue and should be treated as such. It must be properly integrated into the company’s overall business goals and objectives because security issues can negatively affect the resources the company depends upon. More and more corporations are finding out the price paid when security is not given the proper attention, support, and funds. This is a wonderful world to live in, but bad things can happen. The ones who realize this notion not only survive, but also thrive.
安全是一个业务问题,也应该被当作业务问题来对待。它必须与公司的整体业务目标和目的进行适当的整合,因为安全问题可以给公司所依赖的资源带来负面的影响。越来越多的公司发现没有对安全给予足够的重视、支持和资金所带来的代价。这是一个多彩的世界,但不好的事情总会发生。意识到这一点才能生存下去并茁壮成长。
l The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.
安全的目的是对数据和资源提供可用性、完整性、机密性的保护
l A vulnerability is the absence of or weakness in a control.
脆弱性是控制的缺失或存在的弱点。
l A threat is the possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset.
威胁是某人某物有意或无意的利用脆弱性并给资产带来损失的可能性
l A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.
风险是威胁代理利用脆弱性的概率和这种行为带来的潜在损失
l A countermeasure, also called a safeguard or control, mitigates the risk.
对策又成为安全防护或控制,缓解了风险
l A control can be administrative, technical, or physical and can provide deterrent, preventive, detective, corrective, or recovery protection.
控制可能是管理型、技术型、物理型的,可以提供威慑型、预防型、检测型、纠正型或恢复型保护。
l A compensating control is an alternate control that is put into place because of financial or business functionality reasons.
补偿型控制是由于经济或业务功能的原因而采取的备选控制。
l CobiT is a framework of control objectives and allows for IT governance.
CobiT是一个控制目标框架,可用来进行IT治理。
l ISO/IEC 27001 is the standard for the establishment, implementation, control, and improvement of the information security management system.
ISO/IEC 27001是一个建立、实现、控制和改进信息安全管理体系(ISMS)的标准。
l The ISO/IEC 27000 series were derived from BS 7799 and are international best practices on how to develop and maintain a security program.
ISO/IEC 27000是从BS779演化而来,是关于如何建立和管理安全规划的国际最佳实践。
l Enterprise architecture frameworks are used to develop architectures for specific stakeholders and present information in views.
企业架构框架用来为特定的利益体开发架构并呈现信息视图。
l An information security management system (ISMS) is a coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO/IEC 27001.
信息安全管理体系(ISMS)是一个策略、过程和系统的集合,用来管理ISO/IEC 27001中列出信息资产的风险。
l Enterprise security architecture is a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment.
企业安全架构是业务架构的一个子集,是描述当前和未来安全过程、系统和子单元的方式,以保证战略一致性。
l Blueprints are functional definitions for the integration of technology into business processes.
蓝图是将技术集成进业务过程的功能型定义。
l Enterprise architecture frameworks are used to build individual architectures that best map to individual organizational needs and business drivers.
企业架构框架用来建立个体架构,该架构是到个体组织需求和业务驱动的最好映射。
l Zachman is an enterprise architecture framework, and SABSA is a security enterprise architecture framework.
Zachman是一种企业架构框架。SABSA是一个安全企业架构框架。
l COSO is a governance model used to help prevent fraud within a corporate environment.
COSO是一种治理模型,用来帮助防止公司内部的欺诈。
l ITIL is a set of best practices for IT service management.
ITIL是IT服务管理的最佳实践。
l Six Sigma is used to identify defects in processes so that the processes can be improved upon.
Six Sigma用来发现过程中的缺陷,以便对其进行改进。
l CMMI is a maturity model that allows for processes to improve in an incremented and standard approach.
CMMI是一种成熟度模型,使过程以逐渐的和标准化的方式改进。
l Security enterprise architecture should tie in strategic alignment, business enablement, process enhancement, and security effectiveness.
安全企业架构应该将战略一致性、业务实现、过程优化、安全有效性有机的配合在一起。
l NIST 800-53 uses the following control categories: technical, management, and operational.
NIST 800-53使用了如下的控制类型:技术型、管理型、操作型。
l OCTAVE is a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector.
OCTAVE是一个团队导向的风险管理方法论,主要通过讨论会的方式进行,一般用在商业部门。
l Security management should work from the top down (from senior management down to the staff).
安全管理应该是自顶向下的,从高管到职员。
l Risk can be transferred, avoided, reduced, or accepted.
风险可以被转移、规避、缓解或接受。
l Threats × vulnerability × asset value = total risk.
威胁×脆弱性×资产价值 = 总的风险
l (Threats × vulnerability × asset value) × controls gap = residual risk.
(威胁×脆弱性×资产价值) × 控制间隙 = 剩余风险
l The main goals of risk analysis are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards.
风险分析的主要目的有:识别资产并赋予价值、识别脆弱性和威胁、量化潜在威胁的影响、在风险影响和防护代价之间进行平衡。
l Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
失效模型和影响分析是一种方法,用来确定功能、识别功能失效、使用结构化的流程来评估失效的原因及其影响。
l A fault tree analysis is a useful approach to detect failures that can take place within complex environments and systems.
故障树分析是一种有用的工具,用来检测在复杂环境和系统中可能发生的故障。
l A quantitative risk analysis attempts to assign monetary values to components within the analysis.
定量风险分析在分析中尝试给组件赋予货币价值。
l A purely quantitative risk analysis is not possible because qualitative items cannot be quantified with precision.
纯粹的定量风险缝隙不可能,因为不可能精确的量化。
l Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.
风险分析时了解不确定性十分重要,因为这表示团队和管理层对结果的信任程度。
l Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.
自动的风险分析工具降低了分析中的手工工作量。它们可用来计算未来的期望损失,并计算不同安全措施的收益。
l Single loss expectancy × frequency per year = annualized loss expectancy (SLE × ARO = ALE).
单一损失期望 * 年发生比率 = 年度损失期望
l Qualitative risk analysis uses judgment and intuition instead of numbers.
定性风险分析使用判断和直觉而非数字。
l Qualitative risk analysis involves people with the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience.
定性风险分析使用有经验的、接受过相关教育的人根据自己的经验来评估威胁场景,对可能性、潜在损失、严重性。
l The Delphi technique is a group decision method where each group member can communicate anonymously.
Delphi技术是一种群体决策方法,每个成员可以匿名沟通。
l When choosing the right safeguard to reduce a specific risk, the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.
选择正确的防御方法来降低特定风险,花销、功能和有效性必须进行评估并且要进行成本/收益分析。
l A security policy is a statement by management dictating the role security plays in the organization.
安全策略是管理层决定的声明,规定安全在组织中的角色。
l Procedures are detailed step-by-step actions that should be followed to achieve a certain task.
过程是详细的分步动作,必须遵循以完成某个特定的任务。
l Standards are documents that outline rules that are compulsory(强制的) in nature and support the organization’s security policies.
标准是列出了一些强制规则的文档,用来支持组织的安全策略。
l A baseline is a minimum level of security.
基线是安全的最小等级。
l Guidelines are recommendations and general approaches that provide advice and flexibility.
指南是提供建议和灵活性的推荐和一般方法。
l Job rotation is a detective administrative control to detect fraud.
岗位轮换是一种检测型的管理控制,可用来检测欺诈。
l Mandatory vacations are a detective administrative control type that can help detect fraudulent activities.
强制休假是检测型管理控制的一种,可以帮助检测欺诈活动。
l Separation of duties ensures no single person has total control over a critical activity or task. It is a preventative administrative control.
职责分离保证了一个人不具备执行关键活动或任务的所有权限。是一种预防型的管理控制。
l Split knowledge and dual control are two aspects of separation of duties.
知识分割和双重控制是职责分离的两个方面。
l Data owners specify the classification of data, and data custodians implement and maintain controls to enforce the set classification levels.
数据所有者进行数据的分类,数据看管员实现和维护控制以强化数据集的分类等级。
l Security has functional requirements, which define the expected behavior from a product or system, and assurance requirements, which establish confidence in the implemented products or systems overall.
安全具有功能需求,它表示的是针对一个产品或系统期望的行为;另外还有保证需求,它建立针对实现了的产品和系统的整体信心。
l Management must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team’s findings.
管理层必须定义安全管理的范围和目的、提供支持、组件安全团队、委托职责、审核团队的发现。
l The risk management team should include individuals from different departments within the organization, not just technical personnel.
风险管理团队需要包括来自不同组织部门的人员,而不仅仅是技术人员。
l Social engineering is a nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual.
社会工程是一种非技术的攻击,操纵某人提供敏感数据给未授权的人员。
l Personal identification information (PII) is a collection of identity-based data that can be used in identity theft and financial fraud, and thus must be highly protected.
个人身份信息是基于身份数据的集合,可以用来身份窃取和金融欺诈,因此需要严密保护。
l Security governance is a framework that provides oversight, accountability, and compliance.
安全治理是用来提供监督、问责和合规的框架。
l ISO/IEC 27004:2009 is an international standard for information security measurement management.
ISO/IEC 27004:2009是一个国际标准,用来进行信息安全评测管理。
l NIST 800-55 is a standard for performance measurement for information security.
NIST 800-55是一个执行信息安全评测的标准。
CISSP AIO 2th: Information Security Governance and Risk Management
标签:
原文地址:http://www.cnblogs.com/likefrank/p/CISSP_AIO_2th.html
