信息安全概述--安全评估.pptVIP

Parts 1, 2 Part 1: ISO/IEC 17799:2000 the standard code of practice and can be regarded as a comprehensive catalogue of good security things to do. Part 2: BS7799-2:2002 Specify for security management a standard specification for an Information Security Management Systems (ISMS). An ISMS is the means by which Senior Management monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements. ToC of P1 Information security policy Security organization Assets classification and control Personal security Physical and environmental security Computer and network management System access control System development and maintenance Business continuity planning Compliance BS7799认证 BS7799认证咨询 /fwxm/rzzx/BS7799.htm /m01.htm links BS7799/BSI /Corporate/17799.xalter The ISO17799 Toolkit /index.htm BS7799 SECURITY ZONE http://www.thewindow.to/bs7799/index.htm 对密码设备的评估 国内相关的法规 《商用密码管理条例》 … 国外 NIST FIPS 140-2 /cryptval/140-2.htm /cryptval/ Goto “fips140-2.pdf” “fips140-2_SL.1-4.txt” “fips140faq.htm” Security Level 1 // 该级提供安全的最低水平。不要求物理安全机制。一个例子就是PC机加密板。 // 该级允许在未经评估的一般商用机器系统上运行你的密码模块。这主要是为了方便一些低安全需求的场合。 “fips140-2_SL.1-4.txt” Security Level 2 // 该级增加了防干扰或窜改的物理安全机制要求，包括封装、封条、防撬等。 // 该级要求最小的基于角色的认证。 // 该级允许相关部件运行在具有EAL2/CC安全级别的计算系统上。 Security Level 3 // 该级阻止试图对密码模块的入侵，并在必要时自毁敏感信息。 // 该级要求基于标识的认证机制。 // 该级系统得具有EAL3/CC安全级。 Security Level 4 // 该级对密码模块提供彻底的封装保护，能探测到非授权的物理访问，并能及时的删除所有明文信息。 // 必须考虑外部的高温、高压导致的操作失效；非正常操作可以引发故意的内部爆炸。 // 该级系统得运行在EAL4/CC以上安全级上。 Links TCSEC / FIPS 140 Security Requirements for Cryptographic Modules /cryptval/ Common Criteria (CCITSE) /cc/ TPEP /tpep/ /tpep/tpep.html The Information Warfare Site .uk/ Rainbow Series Library Rainbow Series Library /tpep/library/rainbow/ /articles/RainbowSeriesLibraryTheOneTheOnly.php /irp/nsa/rainbow.htm Computer Security Evaluation FAQ /faqs/computer-security/evaluations/ Goto “Computer Security