SECURITY IN COMPUTING FIETH EDITION Chapter 7: Management and Incidents 授课教师:高海波 可南中医药大学 信息管理与信息系统教研室 From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
SECURITY IN COMPUTING, FIFTH EDITION Chapter 7: Management and Incidents From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 1 授课教师:高海波 河南中医药大学 信息管理与信息系统教研室
2 Chapter 7 Objectives Study the contents of a good security plan Learn to plan for business continuity and responding to incidents Outline the steps and best practices of risk analysis Learn to prepare for natural and human-caused disasters From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Chapter 7 Objectives • Study the contents of a good security plan • Learn to plan for business continuity and responding to incidents • Outline the steps and best practices of risk analysis • Learn to prepare for natural and human-caused disasters 2 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
3 Contents of a Security Plan Policy, indicating the goals of a computer security effort and the willingness of the people involved to work to achieve those g oa lIs Current state, describing the status of security at the time of the plan Requirements, recommending ways to meet the security goals Recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements Accountability, documenting who is responsible for each security activity Timetable, identifying when different security functions are to be done Maintenance, specifying a structure for periodically updating the security plan From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Contents of a Security Plan • Policy, indicating the goals of a computer security effort and the willingness of the people involved to work to achieve those goals • Current state, describing the status of security at the time of the plan • Requirements, recommending ways to meet the security goals • Recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements • Accountability, documenting who is responsible for each security activity • Timetable, identifying when different security functions are to be done • Maintenance, specifying a structure for periodically updating the security plan 3 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
Security Policy A high-level statement of purpose and intent Answers three essential questions Who should be allowed access? To what system and organizational resources should access be allowed? What types of access should each user be allowed for each resource? Should specify The organizations security goals(e. g, define whether reliable service is a higher priority than preventing infiltration Where the responsibility for security lies(e.g, the security group or the user) The organizations commitment to security(e.g, defines where the security group fits in the corporate structure From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Security Policy • A high-level statement of purpose and intent • Answers three essential questions: • Who should be allowed access? • To what system and organizational resources should access be allowed? • What types of access should each user be allowed for each resource? • Should specify • The organization’s security goals (e.g., define whether reliable service is a higher priority than preventing infiltration) • Where the responsibility for security lies (e.g., the security group or the user) • The organization’s commitment to security (e.g., defines where the security group fits in the corporate structure) 4 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
5 Assessment of Current Security Status A risk analysis-a systemic investigation of the system, its environment, and what might go wrong-forms the basis for describing the current security state Defines the limits of responsibility for security Which assets are to be protected Who is responsible for protecting them Who is excluded from responsibility Boundaries of responsibility From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Assessment of Current Security Status • A risk analysis—a systemic investigation of the system, its environment, and what might go wrong—forms the basis for describing the current security state • Defines the limits of responsibility for security • Which assets are to be protected • Who is responsible for protecting them • Who is excluded from responsibility • Boundaries of responsibility 5 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved