信息安全治理和风险管理.pptx

信息安全治理和风险管理Information Security Governance and Risk ManagementCISSP第六版培训课件之一关键知识领域A. Understand and align security function to goals, mission and objectives of the organization理解安全功能并将其与机构目标、使命和宗旨相结合B. Understand and apply security governance理解并运用安全治理B.1 Organizational processes (e.g., acquisitions, divestitures, governance committees)组织过程（如收购、分拆、治理委员会）B.2 Security roles and responsibilities安全角色与职责B.3 Legislative and regulatory compliance法律和监管的合规B.4 Privacy requirements compliance隐私要求的合规B.5 Control frameworks控制框架B.6 Due care尽职关注B.7 Due diligence尽职调查关键知识领域C. Understand and apply concepts of confidentiality, integrity and availability理解并运用保密性、完整性与可用性的概念D. Develop and implement security policy制定并施行安全政策D.1 Security policies安全政策D.2 Standards/baselines标准/基准D.3 Procedures程序D.4 Guidelines方针D.5 Documentation文件编制E. Manage the information life cycle (e.g., classification, categorization, and ownership)管理信息的生命周期（如分类、归类与所有权）F. Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)管理第三方治理（如现场评估、文件交换及审查，过程/政策审查）关键知识领域G. Understand and apply risk management concepts理解并运用风险管理的概念G.1 Identify threats and vulnerabilities身份识别的威胁与漏洞G.2 Risk assessment/analysis (qualitative, quantitative, hybrid)风险评估/分析（定性型、定量型、混合型）G.3 Risk assignment/acceptance风险分配/接纳G.4 Countermeasure selection对策选择G.5 Tangible and intangible asset valuation对有形资产和无形资产的评估H. Manage personnel security管理人员安全H.1 Employment candidate screening (e.g., reference checks, education verification)求职者甄选（如证明人核实、教育背景查证）H.2 Employment agreements and policies雇佣协议与政策H.3 Employee termination processes员工解雇流程H.4 Vendor, consultant and contractor controls销售方、顾问与承包商控制关键知识领域I. Develop and manage security education, training and awareness发展并管理安全教育、安全培训与安全意识J. Manage the Security Function管理安全功能J.1 Budget预算J.2 Metrics衡量标准J.3 Resources资源J.4 Develop and implement information security strategies开发并实施信息安全策略J.5 Assess the completeness and effectiveness of the security program评估安全项目的完整性与有效性目录安全基本原则（