信息安全风险评估培训讲述.ppt

盲目自信阶段 普遍缺乏安全意识，对企业安全状况不了解，未意识到信息安全风险的严重性 认知阶段 通过信息安全风险评估等，企业意识到自身存在的信息安全风险，开始采取一些措施提升信息安全水平 改进阶段 意识到局部的、单一的信息安全控制措施难以明显改善企业信息安全状况，开始进行全面的信息安全架构设计，有计划的建设信息安全保障体系 卓越运营阶段 信息安全改进项目完成后，在拥有较为全面的信息安全控制能力基础上，建立持续改进的机制，以应对安全风险的变化，不断提升安全控制能力 Risk Assessment Components By communicating a consistent structure for evaluating the components of risk, digital asset owners and OTG have a common taxonomy to track the progress and contribute to the evaluation process. It is important to note that many stakeholders are required to sufficiently address each component. This is especially true for the more subjective areas of business impact costs, the likelihood of vulnerabilities occurring, and the larger cost/benefit analysis to evaluate new control solutions. Stakeholders can include risk management experts who are involved in calculating risk, security analysts who know specific vulnerabilities and threat probabilities, data owners who know the value of the digital assets under consideration, and security architects and engineers who can identify potential security controls to mitigate risk. Risk assessment for the IPsec project looked like the following: ? Asset: Protecting digital assets in the Highest Value and High Value data classes. ? Threat: Unauthorized access, compromise of data integrity “over the wire,” and information gathering that may lead to an expanded attack. ? Impact: Microsoft suffers lost revenue and reputation from stolen or damaged data and intellectual property. ? Vulnerability: Attacks may occur from network-level threats such as buffer overflow attacks, exploit of unpatched vulnerabilities, and exploit of system misconfiguration. Hackers could also introduce worms that infect unmanaged computers, which in turn could infect managed computers. ? Controls: Antivirus software, screening routers and firewalls, patch management, centrally managed security configurations, and other measures. ? Probability: High. Attacks have occurred and will likely happen agai