[国外经济类书籍大全]Ebook-Cissp-RiskManagement

1、RiskManagementJamesW.Meritt,CISSPJim.Meritt@Wang.comWangGlobal(703)827-3534AbstractTobelievethenewsmedia,thereareahostofcruelandomnipotenthackersouttherewhocantotallydestroyanysystemtheysettheirmindsto,spreadingtotaldevastationuponwhoeverandwherevertheywish.Theslightestfreakofnature-heavyrain,afire,adateonacalendar-canwipeanysystemoutentirely.Thisisnotthecase:thedevastationisnottotal,thedestructionisnotcompletetherearecountermeasureswhichcanbebroughttobeartoavoidthisdisastrousoutcome.Introducti。

2、onThereareanumberofveryrealriskstoinformationsystems,buttheyarenotabsolute.Thereisachanceofanysystembeingsubjecttoattack,butitisn’tcertain.Youarenotsubjecttothewhimsoftheattackerorofnature,therearemanythingswhichcanbedonetomitigatethelosses.Riskmanagementisthetotalprocessofidentifying,measuring,andminimizinguncertaineventsaffectingresources.Thispaperwaswrittentohelpintheobjectiveanalysisoftheriskmanagementprocess.EvaluatingWhatIsAtRiskEveryassethasanassociatedcost.Thecostofphysicalassetsshouldbe。

3、theatleastthereplacementcost,whichshouldalsoincludeinflationrates.Categoriesthatshouldbeconsideredare:Facilities:Allbuildings,airconditioning,furnishingsandothersupportequipment.Excludesanyassetmoreproperlyclassifiableinanotherassetcategory.Thinkofthingslikefireorflood.Otherpossibilitiesincludeearthquake,bombsandchemicalcontaminationwhichcausestheEPAtoclosethefacility.Thecostassociatedwithcomputingresourcescanbethecosttoruntheresourceforagiventimeperiod,orbyestimatingthetimerequiredtorebuild/com。

4、pile,testandre-install.Equipment:Allinformationsystemequipmentlocatedinthecontiguousarea.DoesNOTincludeequipmentthatwouldNOTbelost,say,inafirethatcompletelydestroysthecomputerfacilitysuchasrelayequipmentunderamanholecoverormountedonatelephonepoleoutsideofthefacility.Everythingthatyouhadtobuyandinstallinthecenter-youshouldbeabletogetthepurchasepricerealeasy.Andcheckthemaintenanceagreement-theremaybesomeprovisointhereamongstthewarrantyinformation.Software:Allprogramsanddocumentationthatwouldbelost。

5、ifthecomputerfacilitywascompletelydestroyed.Thiscanbebrokendowninto:Commercial-Youboughtit,youcanconsultyourreceipt.Checkthewarrantyinformation,becauseitmaybereplacedforfreeintheeventofdisaster.Proprietary-Youdevelopedityourself.Howmuchwoulditcosttore-createit?RecordsandFiles:Allmagneticmediadatafilesthatwouldbelostifthefacilitywerecompletelydestroyed.Simplycountandmultiply.Theinformationcontentofthoseitemsiscoverednext.DataandInformation:Anarbitraryvaluemethodicallyappliedtorepresentthevalueofa。

6、lldataandinformationmaintainedinthecomputerfacility;includinganylossesthatmightoccurwerethedatacompromisedbutnotnecessarilydestroyed.Forestimatingthecostsofthedataitself,talktotheinformationowners:findouthowmuchtimeandresourceswouldberequiredtoreplaceit(iftheyneedtoreplaceitall).Costtimeandresources-theprocurementdepartmentshouldbeabletocoststafftimewhenneeded.Onemeasureisthelaborneededtorecreateit.Tothisshouldbeaddedtheopportunitycost--themoneyunearnedbecauseoneisbusyrecreatinginsteadofproceedi。

7、ngwithotherbusiness.Trytoestimateimpactonthebusiness:askquestionssuchas:canyoudoyourworkwithoutthisdata?Ifnot,canthecompanyoperatewithoutrevenueuntilyougettheinformationback?andsoon.Estimatecostofthisimpact(takingintoaccountintangiblessuchaslossofbusiness,lossofreputation,etc.).Internal/externalauditorsshouldbeabletohelpdothecostestimating.Informationresultsfromtheprocessingofdata.Althoughtherearewaystoquantifyandcharacterizedata,measuringthevalueofinformationismoredifficult.Oftenasmallamountofi。

8、nformationwillhavegreatervaluethanlargeamountsofotherinformation.Theneedtodesigncost-effectiveinformationprotectionarchitecturesaddsnewurgencytothisclassicproblem.Thereisnoonemetricthatappliestoallcircumstances,butanapproachusingmultiplemetrics,eachlookingatoneaspectcanstillbeuseful.Althoughitwouldbenicetohaveasimplewayofassigninganabsolutevaluetoinformation,itmaybemoreusefultoassessvalueisrelativetosomecontextincludingtheusesthataretobemadeofitaswellastheactionsofcompetitorsorenemies.Therearedi。

9、fferenttypesandplaceswhereinformationresidesinanorganizationandmethodstoassessitsvalueineachofthese.VitalInformationexistsin:•VisionorMissionStatements,•StrategicPlansorOperationalConcepts•BusinessProcesses•CorporateDatabases•InformationSystemResourcesincludingthecapabilitiesoftheknowledgeworkerswhoseexpertisemakesthingsfunction.(Theseresourcesaretheonesthatyouwillprobablybemoreconcernedabout.)Thecostassociatedwithintellectualpropertyshouldtakeintoaccounthowtheorganizationwouldreactifthedatawere。

10、tobetotallycompromised.Sometypesofinformation,suchastradesecretsarevaluablebecausetheyenableittobuildbetterproductsorconductatypeofbusinessmoreablythanthosewhodon'tsharethesesecrets.Thistypeofinformationcanloseitsvalueshoulditbecomecommonlyavailable.Thesameistrueofintellectualcapitalsuchassoftwareorcopyrightedliterature.Regardlessofotherfunctionalorsocietalvalueitmaycarry,itscommercialvaluederivesfromitsabilitytoinfluencepurchasesorproductscontainingit.Othertypesofinformationsuchasadvertisingorpo。