CIA
Availability
• Redundant array of inexpensive disks (RAID)
• Clustering
• Load balancing
• Redundant data and power lines
• Software and data backups
• Disk shadowing
• Co-location(用戶設備代管,客戶自已的網路服務主機搬到ISP機房去的服務) and off-site facilities
• Roll-back functions
• Fail-over configurations
Integrity
• Hashing (data integrity)
• Configuration management (system integrity)
• Change control (process integrity)
• Access control (physical and technical)
• Software digital signing
• Transmission CRC functions
Confidentiality
• Encryption for data at rest (whole disk, database encryption)
• Encryption for data in transit (IPSec, SSL, PPTP, SSH)
• Access control (physical and technical)
Security Definitions
vulnerability: lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited.
threat: any potential danger that is associated with the exploitation of a vulnerability.
risk:the likelihood of a threat agent exploiting a vulnerability and the corresponding
business impact.
Control Types
• Deterrent Intended to discourage a potential attacker
• Preventive Intended to avoid an incident from occurring
• Corrective Fixes components or systems after an incident has occurred
• Recovery Intended to bring the environment back to regular operations
• Detective Helps identify an incident’s activities and potentially an intruder
• Compensating Controls that provide an alternative measure of control
it is most productive to use a preventive model and then use detective, recovery, and corrective mechanisms to help support this model.
COSO and CobiT
COSO is a model for corporate governance, and CobiT is a model for IT governance.COSO deals more at the strategic level, while CobiT focuses more at the operational level.
ITIL (Information Technology Infrastructure Library)
the de facto standard of best practices for IT service management.
ISO/IEC27000 (Policy level, blueprints) -> COBIT (check list, control objective) -> ITIL (Operation)
ISO/IEC27000 (Policy level, blueprints) -> COBIT (check list, control objective) -> ITIL (Operation)
CMMI
Level 0 -> Level 6
Nonexistent management -> Unpredictable processes -> Repeatable processes -> Defined processes ->Managed processes -> Optimized processes
SLE and ALE
SLE(single loss expectancy) = Asset Value × Exposure Factor (EF)
ALE (annual loss expectancy) = SLE × Annualized Rate of Occurrence (ARO)
Policies, Standards, Baselines, Guidelines, and Procedures
A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization
Standards refer to mandatory activities, actions, or rules. Standards can give a policy
its support and reinforcement in direction.
Baselines are also used to define the minimum level of protection required.
Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel, or physical security.
Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.Procedures are considered the lowest level in the documentation chain because they are closest to the computers and users (compared to policies) and provide detailed steps for configuration and installation issues.
沒有留言:
張貼留言