请选择 进入手机版 | 继续访问电脑版

ITIL,DevOps,ITSS,ITSM,IT运维管理-ITIL先锋论坛

 找回密码
 微信、QQ、手机号一键注册

扫描二维码登录本站

QQ登录

只需一步,快速开始

搜索
查看: 534|回复: 0

Practice_Information security management 信息安全管理实践

[复制链接]
发表于 2020-4-15 11:56:52 | 显示全部楼层 |阅读模式
返回 ITIL 4理论与实践整体知识体系中文版发布文件汇总






信息安全变得越来越重要,但又困难重重。信息安全管理实践在数字化转型的背景中越来越重要。这是由于数字化服务在各个行业中的增长,其中安全信息泄露可能会对组织的业务产生重大影响。云解决方案的广泛使用以及与合作伙伴和服务消费者的数字化服务一起使用的集成产生了新的关键依赖性,而控制的信息收集,存储,共享和使用方式的能力有限。合作伙伴和服务使用者的处境相同,通常会在数据保护和信息安全解决方案上进行投资。但是,组织之间缺少集成和一致性会产生新的漏洞,需要理解和解决。信息安全管理实践与其他规范(包括:可用性管理,容量和性能管理,信息安全管理,风险管理,服务设计,关系管理,架构管理,供应商管理和其他规范)结合在一起,可确保组织的产品和服务满足所有相关方要求的信息安全级别。



许多组织认为信息安全管理实践是更广泛的安全管理的专门分支。在服务经济中,每个组织的业务都是由服务驱动并具有数字功能。由于安全管理更加关注数字化服务和信息的安全,因此这可能导致学科的联系更加紧密。如果数字化转型消除了“ IT 管理”和“ 业务管理”之间的边界,则集成既可能又有用。(有关此主题的更多信息,请参见ITIL®4:高速IT)。
2.2        术语和概念
  
2.2.1        安全特性
信息安全管理实践有助于确保保密性,完整性和可用性进行业务所需的信息,并带有一些活动和控件来保留这些特性。此外,信息安全管理实践通常与身份验证和不可否认性有关。


保密性是许多人在考虑信息安全时想到的第一件事。个人和组织希望确保其机密保持秘密,并且不要滥用其个人信息或业务信息。


如果该信息在需要的时间和地点不可用,则组织无法执行其业务。
可用性管理实践考虑了服务可用性的许多方面。但是,信息安全管理实践主要与可用性有关。


不正确的信息可能比根本没有任何信息更糟。例如,如果一家银行错误地认为客户的帐户中有大量资金并允许他们提取该笔款项,则该银行可能遭受重大损失。


身份验证用于建立人与物的身份。例如:
●        用户名和密码通常用于对人员进行身份验证,尽管通常首选使用生物特征识别和安全令牌的更严格的身份验证。
●        网站可以使用证书和加密来提供身份验证。



自从IT系统和服务存在之前,就已经在业务事务中使用了不可否认性。传统上,将使用签名,如果需要更高级别的证明,则可能需要对该签名进行公证。信息安全依赖不可否认性,因此可以进行交易。这对于保留完整性信息至关重要。


2.2.2        资产,威胁,威胁参与者和漏洞


定义:资产
资产是具有价值到组织的任何东西。
资产可能包括硬件,软件,网络,信息,人员,业务流程,服务,组织,建筑物或其他对组织有价值的东西。信息安全管理实践帮助保护资产,以便组织可以执行其业务。

1此定义不同于可用性管理实践所使用的定义。服务可用性的定义与信息可用性的定义不同。

定义:
威胁是任何可能在资产上带有负影响的潜在事态。
威胁演员是构成威胁的任何人或组织。
脆弱性是资产或控制中的任何弱点,均可被威胁利用。
这些术语的相关关系如下:威胁参与者利用漏洞在资产上拥有影响。


2.2.2.1        威胁和脆弱性评估
威胁评估用于识别潜在威胁,因此组织可以采用适当的性能或绩效。该评估可能涉及查看有关组织先前受到的攻击,有关其他类似组织的近期攻击的历史信息,或者只是预测将来可能出现的潜在威胁。威胁评估的输出是组织需求在其规划中要考虑的威胁列表。当规划发生变化时,可以定期进行威胁评估,并作为检查。
脆弱性评估用于识别特定环境,服务或配置项中的漏洞。通常,这涉及编译潜在漏洞列表,并使用工具对环境中的每个组件进行测试验证,以查看脆弱性是否存在。脆弱性评估可以定期进行,也可以在部署期间检查基础架构或应用程序。有许多工具可以支持脆弱性评估,许多供应商可以将脆弱性评估为服务






Information security is becoming an increasingly important but difficult task. The information security management practice is increasingly important in the context of digital transformation. This is due to the growth of digital services across industries, where information security breaches might have a major effect on an organization’s business. The wider use of cloud solutions and the wider integration with partners’ and service consumers’ digital services creates new critical dependencies, with limited ability to control how information is collected, stored, shared, and used. Partners and service consumers are in the same situation, and usually invest in data protection and information security solutions. However, a lack of integration and consistency between organizations creates new vulnerabilities, which need to be understood and addressed. The information security management practice in conjunction with other practices (including: availability management, capacity and performance management, information security management, risk management, service design, relationship management, architecture management, supplier management and other practices) ensures that an organization’s products and services meet the required level of information security for all involved parties.


The information security management practice is considered by many organizations to be a specialized branch of wider security management. In a service economy, every organization’s business is service-driven and digitally-enabled. This may lead to a closer integration of the disciplines, as security management focuses more on the security of digital services and information. This integration is both possible and useful where digital transformation has led to the removal of the borders between ‘IT management’ and ‘business management’ (see ITIL®4: High-velocity IT for more on this topic).


2.2        TERMS AND CONCEPTS
  
2.2.1        Security characteristics
The information security management practice helps to ensure the confidentiality, integrity, and availability of the information needed to conduct business, with several activities and controls needed to preserve these characteristics. Additionally, the information security management practice is often concerned with authentication and non-repudiation.


Confidentiality is the first thing that many people think of when they consider information security. People and organizations want to ensure that their secrets remain secret, and that their personal or business information is not misused.

If the information is not available when and where it is needed, then the organization is unable to conduct its business.
The availability management practice considers many aspects of service availability. However, the information security management practice is mostly concerned with the availability of information.


Incorrect information may be worse than not having any information at all. For example, if a bank incorrectly believes that a customer has a large amount of money in their account and allows them to withdraw this, the bank might suffer from a significant loss.


Authentication is used to establish the identity of people and things. For example:
●        Usernames and passwords are often used to authenticate people, although more rigorous authentication using biometrics and security tokens is often preferred.
●        Certificates and encryptions may be used by web sites to provide authentication.






Non-repudiation has been used in business transactions since before the existence of IT systems and services. Traditionally, a signature would be used, and if a higher level of proof was needed then this signature might be notarized. Information security relies on non-repudiation so that transactions can occur. This is essential to preserve the integrity of information.


2.2.2        Assets, threats, threat actors, and vulnerabilities


Definition: Asset
An asset is anything that has value to an organization.
Assets may include hardware, software, networking, information, people, business processes, services, organizations, buildings, or anything else that is valuable to an organization. The information security management practice helps to protect assets so that the organization can conduct its business.





1 This definition is different from the one used for the availability management practice. Service availability is defined differently from the availability of information.


Definitions:
A threat is any potential event that could have a negative impact on an asset.
A threat actor is any person or organization that poses a threat.
A vulnerability is any weakness in an asset or control that could be exploited by a threat.
These terms are related in the following way: Threat actors exploit vulnerabilities to have an impact on assets.


2.2.2.1        Threat and vulnerability assessments
A threat assessment is used to identify potential threats, so that the organization can take appropriate action. This assessment may involve reviewing historical information about previous attacks on the organization, recent attacks against other similar organizations, or simply predicting potential threats that could emerge in the future. The output of a threat assessment is a list of threats that the organization needs to consider in its planning. Threat assessments can be performed on a regular basis and as a check when planning changes.


A vulnerability assessment is used to identify vulnerabilities in a specific environment, service, or configuration item. This typically involves compiling a list of potential vulnerabilities and using tools to test each component in the environment, to see if that vulnerability exists. Vulnerability assessments can be performed on a regular basis, and as a check during the deployment of infrastructure or applications. There are many tools available to support vulnerability assessments and many suppliers can perform vulnerability assessments as a service.















Practice_Information security management 信息安全管理实践ITIL4中文版【初译版】.pdf

1.49 MB, 下载次数: 5, 下载积分: 威望 -1 , 金钱 -1 , 贡献 -1





上一篇:Practice_Service validation and testing 服务验证和测试实践
下一篇:Practice_Monitoring and event management 监控和事态管理实践

本版积分规则

参加 ITIL 4 Foundation和中级过渡MPT认证、DevOps专家认证、ITSS服务经理认证报名

QQ|小黑屋|手机版|Archiver|艾拓先锋网 ( 粤ICP备11099876号-1 )|网站地图

Baidu

GMT+8, 2020-5-31 19:49 , Processed in 0.282913 second(s), 25 queries .

Powered by Discuz! X3.4 Licensed

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表