[国外经济类书籍大全]Ebook-Cissp-RiskManagement

RiskManagementJamesW.Meritt,CISSPJim.Meritt@Wang.comWangGlobal(703)827-3534AbstractTobelievethenewsmedia,thereareahostofcruelandomnipotenthackersouttherewhocantotallydestroyanysystemtheysettheirmindsto,spreadingtotaldevastationuponwhoeverandwherevertheywish.Theslightestfreakofnature-heavyrain,afire,adateonacalendar-canwipeanysystemoutentirely.Thisisnotthecase:thedevastationisnottotal,thedestructionisnotcompletetherearecountermeasureswhichcanbebroughttobeartoavoidthisdisastrousoutcome.IntroductionThereareanumberofveryrealriskstoinformationsystems,buttheyarenotabsolute.Thereisachanceofanysystembeingsubjecttoattack,butitisn’tcertain.Youarenotsubjecttothewhimsoftheattackerorofnature,therearemanythingswhichcanbedonetomitigatethelosses.Riskmanagementisthetotalprocessofidentifying,measuring,andminimizinguncertaineventsaffectingresources.Thispaperwaswrittentohelpintheobjectiveanalysisoftheriskmanagementprocess.EvaluatingWhatIsAtRiskEveryassethasanassociatedcost.Thecostofphysicalassetsshouldbetheatleastthereplacementcost,whichshouldalsoincludeinflationrates.Categoriesthatshouldbeconsideredare:Facilities:Allbuildings,airconditioning,furnishingsandothersupportequipment.Excludesanyassetmoreproperlyclassifiableinanotherassetcategory.Thinkofthingslikefireorflood.Otherpossibilitiesincludeearthquake,bombsandchemicalcontaminationwhichcausestheEPAtoclosethefacility.Thecostassociatedwithcomputingresourcescanbethecosttoruntheresourceforagiventimeperiod,orbyestimatingthetimerequiredtorebuild/compile,testandre-install.Equipment:Allinformationsystemequipmentlocatedinthecontiguousarea.DoesNOTincludeequipmentthatwouldNOTbelost,say,inafirethatcompletelydestroysthecomputerfacilitysuchasrelayequipmentunderamanholecoverormountedonatelephonepoleoutsideofthefacility.Everythingthatyouhadtobuyandinstallinthecenter-youshouldbeabletogetthepurchasepricerealeasy.Andcheckthemaintenanceagreement-theremaybesomeprovisointhereamongstthewarrantyinformation.Software:Allprogramsanddocumentationthatwouldbelostifthecomputerfacilitywascompletelydestroyed.Thiscanbebrokendowninto:Commercial-Youboughtit,youcanconsultyourreceipt.Checkthewarrantyinformation,becauseitmaybereplacedforfreeintheeventofdisaster.Proprietary-Youdevelopedityourself.Howmuchwoulditcosttore-createit?RecordsandFiles:Allmagneticmediadatafilesthatwouldbelostifthefacilitywerecompletelydestroyed.Simplycountandmultiply.Theinformationcontentofthoseitemsiscoverednext.DataandInformation:Anarbitraryvaluemethodicallyappliedtorepresentthevalueofalldataandinformationmaintainedinthecomputerfacility;includinganylossesthatmightoccurwerethedatacompromisedbutnotnecessarilydestroyed.Forestimatingthecostsofthedataitself,talktotheinformationowners:findouthowmuchtimeandresourceswouldberequiredtoreplaceit(iftheyneedtoreplaceitall).Costtimeandresources-theprocurementdepartmentshouldbeabletocoststafftimewhenneeded.Onemeasureisthelaborneededtorecreateit.Tothisshouldbeaddedtheopportunitycost--themoneyunearnedbecauseoneisbusyrecreatinginsteadofproceedingwithotherbusiness.Trytoestimateimpactonthebusiness:askquestionssuchas:canyoudoyourworkwithoutthisdata?Ifnot,canthecompanyoperatewithoutrevenueuntilyougettheinformationback?andsoon.Estimatecostofthisimpact(takingintoaccountintangiblessuchaslossofbusiness,lossofreputation,etc.).Internal/externalauditorsshouldbeabletohelpdothecostestimating.Informationresultsfromtheprocessingofdata.Althoughtherearewaystoquantifyandcharacterizedata,measuringthevalueofinformationismoredifficult.Oftenasmallamountofinformationwillhavegreatervaluethanlargeamountsofotherinformation.Theneedtodesigncost-effectiveinformationprotectionarchitecturesaddsnewurgencytothisclassicproblem.Thereisnoonemetricthatappliestoallcircumstances,butanapproachusingmultiplemetrics,eachlookingatoneaspectcanstillbeuseful.Althoughitwouldbenicetohaveasimplewayofassigninganabsolutevaluetoinformation,itmaybemoreusefultoassessvalueisrelativetosomecontextincludingtheusesthataretobemadeofitaswellastheactionsofcompetitorsorenemies.Therearedifferenttypesandplaceswhereinformationresidesinanorganizationandmethodstoassessitsvalueineachofthese.VitalInformationexistsin:•VisionorMissionStatements,•StrategicPlansorOperationalConcepts•BusinessProcesses•CorporateDatabases•InformationSystemResourcesincludingthecapabilitiesoftheknowledgeworkerswhoseexpertisemakesthingsfunction.(Theseresourcesaretheonesthatyouwillprobablybemoreconcernedabout.)Thecostassociatedwithintellectualpropertyshouldtakeintoaccounthowtheorganizationwouldreactifthedataweretobetotallycompromised.Sometypesofinformation,suchastradesecretsarevaluablebecausetheyenableittobuildbetterproductsorconductatypeofbusinessmoreablythanthosewhodon'tsharethesesecrets.Thistypeofinformationcanloseitsvalueshoulditbecomecommonlyavailable.Thesameistrueofintellectualcapitalsuchassoftwareorcopyrightedliterature.Regardlessofotherfunctionalorsocietalvalueitmaycarry,itscommercialvaluederivesfromitsabilitytoinfluencepurchasesorproductscontainingit.Othertypesofinformationsuchasadvertisingorpo