风险评估的国际发展动态

合集下载
  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
– 1 Sector Analysis – 2 Interdependency Analysis – 3 Risk Analysis – 4 Threat Assessment – 5 Vulnerability Assessment – 6 Impact Assessment – 7 System Analysis
风险评估的国际动态
汇报要点
• 信息安全管理成为信息安全保障的热点 • 泰德带来的启示 • 风险评估和等级保护的关系
信息安全管理成为 信息安全保障的热点
• IT IS $! • 信息就是财富,安全才有价值。 • CI: Critical Infrastructure • CIP: Critical Infrastructure Protection • CII: Critical Information Infrastructure. • CIIP: Critical Information Infrastructure Protection • 技术提供安全保障功能,但不是安全保障的全部 • 提高人的安全意识,技术、管理两手抓成为国际共识。
ISMS Standards
Management system specs, guidance & auditing
BS 7799 Part 2
ISMS Specifications
GMITS/MICTS
PD 3000 series on risk and selection of controls
Compliance audit/reviews
(SHALL statements)
Governance principles
Controls and control implementation advice
NON-MANDATORY Statements
Risk assessment Audit/reviews
Technical implementation and specification
standards
TPP services
Encryption
Digital signatures
IT network security
Time stamping
Authentication
Access control
ISMS Standards
Revision of ISO/IEC 17799:2000
2000 edition Control Objective
Revised edition Control Objective
State requirement
Complex Interconnected Infrastructures
• Sector and Layer Model, • Sector Analysis, • Process and Technology Analysis, • Dimensional Interdependency Analysis.
2003至2004年出版) • SP 800-60 《信息和信息类型与安全目标及风险级别对应指南》(2004
年3月草案2.0版)
Managing Enterprise Risk and Achieving More Secure Information Systems involves—
• Categorizing (enterprise information and information systems) • Selecting (appropriate security controls) • Refining (security controls through a risk assessment) • Documenting (security controls in a system security plan) • Implementing (security controls in new and legacy systems) • Assessing (the effectiveness of security controls) • Determining (enterprise-level risk and risk acceptability) • Authorizing (information systems for processing) • Monitoring (security controls on an ongoing basis) •
Access control Information systems acquisition, development
and maintenance Information security incident management
Business continuity management Compliance
BS 7799-2:2002
Implement & use ISMS
DO
Design ISMS PLAN
Baidu Nhomakorabea
PDCA Model
CHECK
ACT
Monitor & review ISMS
Maintain & improve ISMS
Risk based continual improvement framework for information security management
Key management
Biometrics
Non-repudiation
Cards
Product and product system testing and evaluation
ISO/IEC 15408 Evaluation criteria
Protection profiles
ISMS Standards
Vulnerability Analysis, effective 1 September 2004
• 提出《信息和相关技术的控制目标》(CoBIT)
– CoBIT开发和推广了第三版,
– CoBIT起源于组织为达到业务目标所需的信息这个前 提
– CoBIT鼓励以业务流程为中心,实行业务流程负责制
– CoBIT还考虑到组织对信用、质量和安全的需要
2002年版
• Technical IT-Security Models • Risk Analysis Methodology (for IT
Systems) • Infrastructure Risk Analysis Model
(IRAM) • Leontief-Based Model of Risk in
• 国际信息系统审计与控制协会 (ISACA) 提 出:
1. IS Risk Assessment, effective 1 July 2002 2. Digital Signatures, effective 1 July 2002 3. Intrusion Detection, effective 1 August 2003 4. Viruses and other Malicious Logic, effective 1 August 2003 5. Control Risk Self-assessment, effective 1 August 2003 6. Firewalls, effective 1 August 2003 7. Irregularities and Illegal Acts Effective 1 November 2003 8. Secuurity Assessment—Penetration Testing and
标准化组织和行业团体抓紧制定管理标准
• ISO
– 13335 正在重组修改 – 正在修订17799 – BS 7799-2 成为国际标准正在讨论
• NIST 在联邦IT系统认证认可的名义下提出大量规范
• SP 800-18 《IT系统安全计划开发指南 》(1998年12月 ) • SP 800-26 《IT系统安全自评估指南》(2001年11月) • SP 800-30 《IT系统风险管理指南》(2002年1月发布,2004年1月21日
• CoBIT为正在寻求控制实施最佳实践的管 理者和IT实施人员提供了超过300个详细的 控制目标,以及建立在这些目标上的广泛 的行动指南。后者是用来评估和审计对IT 流程控制和治理的程度。
国际CIIP手册(2004)
• Part II Analysis of Methods and Models for CII Assessment
National schemes and standards
ISMS Control Catalogues
Management system certification and accreditation standards (auditing process, procedures etc)
Product Standards
修订 ) • SP 800-37 《联邦IT系统认证认可指南》(2002年9月,2003年7月,
2004年5月最后文本) • FIPS 199《联邦信息和信息系统的安全分类标准》(草案第一版)
(2003年12月) • SP 800-53《联邦信息系统安全控制》(2003年8月31日发布草案) • SP 800-53A《联邦信息系统安全控制有效性检验技术和流程》(计划
泰德带来的启示
风险三角形
威胁
风险
脆弱性
资产
泰德眼中的
Information Security Governance
标准体系( ISMS) Corporate Governance BS 7799 Part 2
DO
PLAN
CHECK
ACT
ISO/IEC 17799
风险管理处理 系统控制
内部审计功能
ISMS Standards
ISO/IEC 17799 and BS 7799-2
Security processes and control compliance statements
Controls
MANDATORY Statements
Risk assessment, treatment and management
– 它提供了组织用于定义其对IT业务要求的几条信息准 则:效率、效果、可用性、完整性、保密性、可靠性 和一致性。
• CoBIT进一步把IT分成4个领域
– 计划和组织, – 获取和运用, – 交付和支持, – 监控和评价。
• 共计34个IT业务流程。其中3个与信息安全直接密 切相关的业务流程是:
– 计划和组织流程9——评估风险: – 传递和支持流程4——确保连贯的服务; – 传递和支持流程5——保证系统安全。
ISO/IEC 17799新老版本对比
2000 version
Security policy Security organisation Asset classification & control
Personnel security Physical & environmental security Communications & operations management
ISO/IEC 18044 Incident handling
ISMS Guidelines (risk assessment, selection of controls)
ISO/IEC 17799
ISO Guide 62 EA7/03 EN45012 ISO9001 ISO19011 EN45013
Access control Systems development & maintenance
Business continuity Compliance
new version
Security policy Organising information security
Asset management Human resources security Physical & environmental security Communications & operations management
相关文档
最新文档