信息安全管理（影印版）

ListofFigures
ListofTables
Preface
Acknowledgments

PartIIntroduction
Chapter1ManagingInformationSecurityRisks
1.1informationSecurity
WhatIsInformationSecurity?
VulnerabilityAssessment
InformationSystemsAud/t
InformationSecurityRiskEvaluat/on
ManagedServiceProviders
ImplementingaRiskManagementApproach
1.2InformationSecurityRiskEvaluation
andManagement
EvaluationActivities
RiskEvaluationandManagement
1.3AnApproachtoInformationSecurity
RiskEvaluations
OCTAVEApproach
InformationSecurityRisk
ThreePhases
OCTAVEVariations
CommonElements

Chapter2PrinciplesandAttributesofInformationSecurityRiskEvaluations
2.1Introduction
2.2InformationSecurityRiskManagementPrinciples
2.2.1InformationSecurityRiskEvaluationPrinciples
2.2.2RiskManagementPrinciples
2.2.3OrganizationalandCulturalPrinciples
2.3InformationSecurityRiskEvaluationAttributes
2.4InformationSecurityRiskEvaluationOutputs
2.4.1Phase1:BufidAsset-BasedThreatProfiles
2.4.2Phase2:IdentifyInfrastructureVulnerabilities
2.4.3Phase3:DevelopSecurityStrategyandPlans

PartIITheOCTAVEMethod
Chapter3introductiontotheOCTAVEMethod
3.1OverviewoftheOCTAVEMethod
3.1.1Preparation
3.1.2Phase1:BuildAsset-BasedThreatProfiles
3.1.3Phase2:IdentifyInfrastructureVulnerabilities
3.1.4Phase3:DevelopSecurityStrategyandPlans
3.2MappingAttributesandOutputstotheOCTAVEMethod
3.2.1AttributesandtheOCTAVEMethod
3.2.2OutputsandtheOCTAVEMethod
3.3IntroductiontotheSampleScenario

Chapter4PreparingforOCTAVE
4.1OverviewofPreparation
4.2ObtainSeniorManagementSponsorship
ofOCTAVE
4.3SelectAnalysisTeamMembers
4.4SelectOperationalAreastoParticipateinOCTAVE
4.5SelectParticipants
4.6CoordinateLogistics
4.7SampleScenario

Chapter5IdentifyingOrganizationalKnowledge(Processes1to3)
5.1OverviewofProcesses1to3
5.2IdentifyAssetsandRelativePriorities
5.3IdentifyAreasofConcern
5.4IdentifySecurityRequirementsforMostImportantAssets
5.5CaptureKnowledgeofCurrentSecurityPracticesandOrganizationalVulnerabilities

Chapter6CreatingThreatProfiles(Process4)
6.1OverviewofProcess4
6.2BeforetheWorkshop:ConsolidateInformationfromProcesses1to3
6.3SelectCriticalAssets
6.4RefineSecurityRequirementsforCriticalAssets
6.5IdentifyThreatstoCriticalAssets

Chapter7IdentifyingKeyComponents(Process5)
7.1OverviewofProcess5
7.2IdentifyKeyClassesofComponents
7.3IdentifyInfrastructureComponentstoExamine

Chapter8EvaluatingSelectedComponents(Process6)
8.1OverviewofProcess6
8.2BeforetheWorkshop:RunVulnerabilityEvaluationToolsonSelectedInfrastructureComponents
8.3ReviewTechnologyVulnerabilitiesandSummarizeResults

Chapter9ConductingtheRiskAnalysis(Process7)
9.1OverviewofProcess7
9.2IdentifytheImpactofThreatstoCriticalAssets
9.3CreateRiskEvaluationCriteria
9.4EvaluatetheImpactofThreatstoCriticalAssets
9.5incorporatingProbabilityintotheRiskAnalysis
9.5.1WhatIsProbability?
9.5.2ProbabilityintheOCTAVEMethod

Chapter10DevelopingaProtectionStrategy--WorkshopA(Process8A)
10.1OverviewofProcess8A
10.2BeforetheWorkshop:Consolidate
InformationfromProcesses1to3
10.3ReviewRiskInformation
10.4CreateProtectionStrategy
10.5CreateRiskMitigationPlans
10.6CreateActionList
10.7IncorporatingProbabilityintoRiskMitigation

Chapter11DevelopingaProtectionStrategy--WorkshopB(Process8B)
11.1OverviewofProcess8B
11.2BeforetheWorkshop:PreparetoMeetwithSeniorManagement
11.3PresentRiskInformation
11.4ReviewandRefineProtectionStrategy,MitigationPlans,andActionList
11.5CreateNextSteps
11.6SummaryofPartII

PartIIIVariationsontheOCTAVEApproach
Chapter12AnIntroductiontoTailoringOCTAVE
12.1TheRangeofPossibilities
12.2TailoringtheOCTAVEMethodtoYourOrganization
12.2.1TailoringtheEvaluation
12,2.2TailoringArt/facts

Chapter13PracticalApplications
13.1Introduction
13.2TheSmallOrganization
13.2.1CompanyS
13.2.2ImplementingOCTAVEinSmallOrganizations
13.3VeryLarge,DispersedOrganizations
13.4IntegratedWebPortalServiceProviders
13.5LargeandSmallOrganizations
13.6OtherConsiderations

Chapter14InformationSecurityRiskManagement
14.1Introduction
14.2AFrameworkforManagingInformationSecurityRisks
14:2.1Identify
14.2.2Analyze
14.2.3Plan
14.2.4Implement
14.2.5Monitor
14.2.6Control
14.3ImplementingInformationSecurityRiskManagement
14.4Summary
Glossary
Bibliography

AppendixACaseScenariofortheOCTAVEMethod
A.1MedSiteOCTAVEFinalReport:Introduction
A.2ProtectionStrategyforMedSite
A.2.1Near-TermActionItems
A.3RisksandMitigationPlansforCriticalAssets
A.3.1PaperMedicalRecords
A.3,2PersonalComputers
A.3.3PIDS
A.3.4ABCSystems
A.3.5ECDS
A.4TechnologyVulnerabilityEvaluationResults
andRecommendedActions
A.5AdditionalInformation
A.5.1RiskImpactEvaluationCriteria
A.5.20therAssets
A.5.3ConsolidatedSurveyResults
AppendixBWorksheets
B.1KnowledgeElicitationWorksheets
B.1.1AssetWorksheet
B.1.2AreasofConcernWorksheet
B.1.3SecurityRequirementsWorksheet
B.1.4PracticeSurveys
B.1.5ProtectionStrategyWorksheet
B.2AssetProfileWorksheets
B.2.1CriticalAssetInformation
B.2.2SecurityRequirements
B.2.3ThreatProNeforCriticalAsset
B.2.4System(s)ofInterest
B.2.5KeyClassesofComponents
B.2.6InfrastructureComponentstoExamine
B.2.7SummarizeTechnologyVulnerabilities
B.2.8RecordActionItems
B.2.9RiskImpactDescriptions
B.2.10RiskEvaluationCriteriaWorksheet
B.2.11RiskProfileWorksheet
B.2.12RiskMitigationPlans
B.3StrategiesandActions
B.3.1CurrentSecurityPracticesWorksheets
B.3.2ProtectionStrategyWorksheets
B.3.3ActionListWorksheet
AppendixCCatalogofPractices
AbouttheAuthors
Index

第I部分引言
第1章信息安全管理
1.1信息安全
1.2信息安全風(fēng)險(xiǎn)評(píng)估和管理
1.3一種信息安全風(fēng)險(xiǎn)評(píng)估的方法
第2章信息安全風(fēng)險(xiǎn)評(píng)估的原則和屬性
2.1簡(jiǎn)介
2.2信息安全風(fēng)險(xiǎn)管理原則
2.3信息安全風(fēng)險(xiǎn)評(píng)估的屬性
2.4信息安全風(fēng)險(xiǎn)評(píng)估的輸出,

第II部分OCTAVE方法
第3章OCTAVEMethod簡(jiǎn)介
3.1OCTAVE方法簡(jiǎn)介
3.2把屬性和輸出映射到OCTAVEMethod
3.3情節(jié)實(shí)例簡(jiǎn)介
第4章為OCTAVE做準(zhǔn)備
4.1準(zhǔn)備概述
4.2爭(zhēng)取高層管理部門支持OCTAVE
4.3挑選分析團(tuán)隊(duì)成員
4.4選擇OCTAVE涉及的業(yè)務(wù)區(qū)域
4.5選擇參與者
4.6協(xié)調(diào)后勤工作
4.7情節(jié)實(shí)例
第5章標(biāo)識(shí)組織的知識(shí)
5.1過(guò)程1到3概述
5.2標(biāo)識(shí)資源及其相對(duì)優(yōu)先級(jí)
5.3標(biāo)識(shí)涉及區(qū)域
5.4標(biāo)識(shí)最重要的資源的安全需求
5.5獲取當(dāng)前的安全實(shí)踐和組織弱點(diǎn)的知識(shí)
第6章建立威脅配置文件
6.1過(guò)程4概述
6.2討論會(huì)之前：整理從過(guò)程1到3中收集的信息
6.3選擇關(guān)鍵資源
6.4提煉關(guān)鍵資源的安全需求
6.5標(biāo)識(shí)對(duì)關(guān)鍵資源的威脅
第7章標(biāo)識(shí)關(guān)鍵組件
7.1過(guò)程5概述
7.2標(biāo)識(shí)組件的關(guān)鍵種類
7.3標(biāo)識(shí)要研究的基礎(chǔ)結(jié)構(gòu)組件
第8章評(píng)估選定的組件
8.1過(guò)程6概述
8.2討論會(huì)之前：對(duì)基礎(chǔ)結(jié)構(gòu)組件運(yùn)行弱點(diǎn)評(píng)估工具
8.3技術(shù)弱點(diǎn)評(píng)估及結(jié)果總結(jié)
第9章執(zhí)行風(fēng)險(xiǎn)分析
9.1過(guò)程7簡(jiǎn)介
9.2標(biāo)識(shí)關(guān)鍵資源的威脅所產(chǎn)生的影響
9.3建立風(fēng)險(xiǎn)評(píng)估標(biāo)準(zhǔn)
9.4評(píng)估關(guān)鍵資源的威脅產(chǎn)生的影響
9.5應(yīng)用概率于風(fēng)險(xiǎn)分析
第10章開(kāi)發(fā)保護(hù)策略--討論會(huì)A
10.1過(guò)程8A簡(jiǎn)介
10.2討論會(huì)之前：整理從過(guò)程1到3中收集的信息
10.3評(píng)審風(fēng)險(xiǎn)信息
10.4制定保護(hù)策略
10.5建立風(fēng)險(xiǎn)緩和計(jì)劃
10.6制定行動(dòng)列表
10.7在風(fēng)險(xiǎn)緩和中應(yīng)用概率
第11章開(kāi)發(fā)保護(hù)策略--討論會(huì)B
11.1過(guò)程8B簡(jiǎn)介
11.2討論會(huì)之前：準(zhǔn)備與高層管理部門會(huì)面
11.3介紹風(fēng)險(xiǎn)信息
11.4評(píng)審并提煉保護(hù)策略.緩和計(jì)劃和行動(dòng)列表
11.5確定后續(xù)步驟
11.6第Ⅱ部分總結(jié)

第III部分OCTAVE方法的變體
第12章剪裁OCTAVE方法簡(jiǎn)介
12.1可能性范圍
12.2為組織剪裁OCTAVE方法
第13章實(shí)際應(yīng)用
13.1引言
13.2小型組織
13.3超大型的.分散的組織
13.4綜合的Web入口服務(wù)提供商
13.5大型組織和小型組織
13.6其他需要考慮的問(wèn)題
第14章信息安全風(fēng)險(xiǎn)管理
14.1引言
14.2信息安全風(fēng)險(xiǎn)管理的框架
14.3實(shí)施信息安全風(fēng)險(xiǎn)管理
14.4總結(jié)
術(shù)語(yǔ)表

附錄
附錄AOCTAVE方法的實(shí)例情節(jié)
A.1MedSite的OCTAVE最終報(bào)告：引言
A.2為MedSite制定的保護(hù)策略
A.3對(duì)關(guān)鍵資源的風(fēng)險(xiǎn)和緩和計(jì)劃
A.4技術(shù)弱點(diǎn)評(píng)估結(jié)果及建議的行動(dòng)
A.5補(bǔ)充信息
附錄B工作表
B.1問(wèn)題征集工作表
B.2資源配置文件工作表
B.3策略和行動(dòng)
附錄C實(shí)踐目錄