您好,欢迎访问三七文档
当前位置:首页 > 商业/管理/HR > 企业财务 > [国外经济类书籍大全]Ebook-Cissp-RiskManagement
1、RiskManagementJamesW.Meritt,CISSPJim.Meritt@Wang.comWangGlobal(703)827-3534AbstractTobelievethenewsmedia,thereareahostofcruelandomnipotenthackersouttherewhocantotallydestroyanysystemtheysettheirmindsto,spreadingtotaldevastationuponwhoeverandwherevertheywish.Theslightestfreakofnature-heavyrain,afire,adateonacalendar-canwipeanysystemoutentirely.Thisisnotthecase:thedevastationisnottotal,thedestructionisnotcompletetherearecountermeasureswhichcanbebroughttobeartoavoidthisdisastrousoutcome.Introducti。
2、onThereareanumberofveryrealriskstoinformationsystems,buttheyarenotabsolute.Thereisachanceofanysystembeingsubjecttoattack,butitisn’tcertain.Youarenotsubjecttothewhimsoftheattackerorofnature,therearemanythingswhichcanbedonetomitigatethelosses.Riskmanagementisthetotalprocessofidentifying,measuring,andminimizinguncertaineventsaffectingresources.Thispaperwaswrittentohelpintheobjectiveanalysisoftheriskmanagementprocess.EvaluatingWhatIsAtRiskEveryassethasanassociatedcost.Thecostofphysicalassetsshouldbe。
3、theatleastthereplacementcost,whichshouldalsoincludeinflationrates.Categoriesthatshouldbeconsideredare:Facilities:Allbuildings,airconditioning,furnishingsandothersupportequipment.Excludesanyassetmoreproperlyclassifiableinanotherassetcategory.Thinkofthingslikefireorflood.Otherpossibilitiesincludeearthquake,bombsandchemicalcontaminationwhichcausestheEPAtoclosethefacility.Thecostassociatedwithcomputingresourcescanbethecosttoruntheresourceforagiventimeperiod,orbyestimatingthetimerequiredtorebuild/com。
4、pile,testandre-install.Equipment:Allinformationsystemequipmentlocatedinthecontiguousarea.DoesNOTincludeequipmentthatwouldNOTbelost,say,inafirethatcompletelydestroysthecomputerfacilitysuchasrelayequipmentunderamanholecoverormountedonatelephonepoleoutsideofthefacility.Everythingthatyouhadtobuyandinstallinthecenter-youshouldbeabletogetthepurchasepricerealeasy.Andcheckthemaintenanceagreement-theremaybesomeprovisointhereamongstthewarrantyinformation.Software:Allprogramsanddocumentationthatwouldbelost。
5、ifthecomputerfacilitywascompletelydestroyed.Thiscanbebrokendowninto:Commercial-Youboughtit,youcanconsultyourreceipt.Checkthewarrantyinformation,becauseitmaybereplacedforfreeintheeventofdisaster.Proprietary-Youdevelopedityourself.Howmuchwoulditcosttore-createit?RecordsandFiles:Allmagneticmediadatafilesthatwouldbelostifthefacilitywerecompletelydestroyed.Simplycountandmultiply.Theinformationcontentofthoseitemsiscoverednext.DataandInformation:Anarbitraryvaluemethodicallyappliedtorepresentthevalueofa。
6、lldataandinformationmaintainedinthecomputerfacility;includinganylossesthatmightoccurwerethedatacompromisedbutnotnecessarilydestroyed.Forestimatingthecostsofthedataitself,talktotheinformationowners:findouthowmuchtimeandresourceswouldberequiredtoreplaceit(iftheyneedtoreplaceitall).Costtimeandresources-theprocurementdepartmentshouldbeabletocoststafftimewhenneeded.Onemeasureisthelaborneededtorecreateit.Tothisshouldbeaddedtheopportunitycost--themoneyunearnedbecauseoneisbusyrecreatinginsteadofproceedi。
7、ngwithotherbusiness.Trytoestimateimpactonthebusiness:askquestionssuchas:canyoudoyourworkwithoutthisdata?Ifnot,canthecompanyoperatewithoutrevenueuntilyougettheinformationback?andsoon.Estimatecostofthisimpact(takingintoaccountintangiblessuchaslossofbusiness,lossofreputation,etc.).Internal/externalauditorsshouldbeabletohelpdothecostestimating.Informationresultsfromtheprocessingofdata.Althoughtherearewaystoquantifyandcharacterizedata,measuringthevalueofinformationismoredifficult.Oftenasmallamountofi。
8、nformationwillhavegreatervaluethanlargeamountsofotherinformation.Theneedtodesigncost-effectiveinformationprotectionarchitecturesaddsnewurgencytothisclassicproblem.Thereisnoonemetricthatappliestoallcircumstances,butanapproachusingmultiplemetrics,eachlookingatoneaspectcanstillbeuseful.Althoughitwouldbenicetohaveasimplewayofassigninganabsolutevaluetoinformation,itmaybemoreusefultoassessvalueisrelativetosomecontextincludingtheusesthataretobemadeofitaswellastheactionsofcompetitorsorenemies.Therearedi。
9、fferenttypesandplaceswhereinformationresidesinanorganizationandmethodstoassessitsvalueineachofthese.VitalInformationexistsin:•VisionorMissionStatements,•StrategicPlansorOperationalConcepts•BusinessProcesses•CorporateDatabases•InformationSystemResourcesincludingthecapabilitiesoftheknowledgeworkerswhoseexpertisemakesthingsfunction.(Theseresourcesaretheonesthatyouwillprobablybemoreconcernedabout.)Thecostassociatedwithintellectualpropertyshouldtakeintoaccounthowtheorganizationwouldreactifthedatawere。
10、tobetotallycompromised.Sometypesofinformation,suchastradesecretsarevaluablebecausetheyenableittobuildbetterproductsorconductatypeofbusinessmoreablythanthosewhodon'tsharethesesecrets.Thistypeofinformationcanloseitsvalueshoulditbecomecommonlyavailable.Thesameistrueofintellectualcapitalsuchassoftwareorcopyrightedliterature.Regardlessofotherfunctionalorsocietalvalueitmaycarry,itscommercialvaluederivesfromitsabilitytoinfluencepurchasesorproductscontainingit.Othertypesofinformationsuchasadvertisingorpo。
本文标题:[国外经济类书籍大全]Ebook-Cissp-RiskManagement
链接地址:https://www.777doc.com/doc-1125736 .html