- •Введение
- •Information security
- •Integrity
- •Risk management
- •Risk environment and context
- •Computer viruses
- •Types of computer viruses
- •History of computer viruses and antivirus software Part 1: the beginning
- •History of computer viruses and antivirus software Part 2: Virus attacks and antivirus development
- •Computer crimes
- •Computer Crime: New Kind of Professional Crime
- •Cryptography
- •Rsa Cryptosystem
- •Tips for personal information protection Part 1
- •Хищение личной информации в сша
- •Tips for Personal Information Protection Part 2
- •Attacks on passwords
- •Hackers as social phenomenon in modern digital world
- •Computer hacking - high-tech crime
- •Texts for background reading
- •Top 10 craziest computer hacks
- •Text 2 Top 10 craziest computer hacks Part 2
- •Text 3 Top 10 Awesomely Impressive Computer Hackers
- •10 Computer Hacks & Tricks
- •Text 5 Future authentication device.
- •Список литературы
Risk management
Risk management is the process of identifying vulnerabilities1 and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.
There are two things in this definition that may need some clarification. First, the process of risk management is an ongoing iterative2 process. It must be repeated indefinitely. The business environment is constantly changing and new threats and vulnerability emerge every day. Second, the choice of countermeasures (controls) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected.
Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). Vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man-made or act of nature) that has the potential to cause harm. The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property).
Risk assessment3is carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. The assessment may use a subjective qualitative analysis based on informed opinion, or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis. The research has shown that the most vulnerable point in most information systems is the human user and operator.
In broad terms, the risk management process consists of number of processes that include identification of assets and estimation of their value, conduction of a threat assessment4, vulnerability assessment and procedures required to control them. It’s necessary to evaluate the effectiveness of the control measures without discernible loss5 of productivity.
For any given risk, Executive Management can choose to accept the risk upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Or, leadership may choose to mitigate therisk6by selecting and implementing appropriate control measures to reduce the risk. In some cases, the risk can be transferred to another business by buying insurance or outsourcing7to another business.
When Management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls.
Administrative.
Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. They inform people on how the business is to be run and how day to day operations are to be conducted. Laws and regulations created by government bodies are also a type of administrative control. The examples of administrative controls include the corporate security policy, password policy, hiring policies8 etc. Administrative controls form the basis for the selection and implementation of logical and physical controls. Administrative controls are of paramount importance.
Logical.
Logical controls (also called technical controls) use software and datato monitor and control access to information and computing systems. For example: passwords, network and host9based firewalls10, network intrusion detection systems, access control lists, and data encryption are logical controls. A frequently overlooked11 logical control is the principle of least privilege12. This principle requires that an individual, program or system process is not granted any more access privileges than are necessary to perform the task. An example of this principle failure can occur if an individual collects additional access privileges over time. This happens when employees have their job duties13 changed, or they are promoted, or they transfer to another department. The access privileges required by their new duties are frequently added onto their already existing access privileges which may no longer be necessary or appropriate.
Physical.
Physical controls monitor and control the environment of the workplace and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems14, cameras, barricades, fencing15, security guards, cable locks, etc. A frequently overlooked physical control is the separation of duties. Separation of duties ensures that an individual cannot complete a critical task by himself. For example: an employee who submits a request for reimbursement16 should not also be able to authorize payment or print the check.
NOTES
1. vulnerability (security vulnerability) – уязвимость, слабое место
2. iterative – итеративный, повторяющийся.
3. risk assessment – оценка рисков (определение возможных потерь из –за недостатка информации или её утраты при восстановлении системы).
4. threat assessment – оценка угроз
5. discernible loss – ощутимая потеря
6. to mitigate the risk – снижать риск
7. outsourcing – привлечение соисполнителей, аутсорсинг
8. hiring policies – политика найма
9. host – главный компьютер
10. firewall – межсетевой экран (МЭ), брандмауэр, защитная система, сетевой заслон
11. least privilege – минимум полномочий
12. employees' job duties – обязанности сотрудников
13. fire suppression system–система пожаротушения
14. fencing – ограждение, установка ограждений
15. overlook игнорировать, недооценивать, пренебрегать
16. reimbursement – возмещение, компенсация
Ex.2. Find English equivalents in the text.
Принять контрмеры; исполнительный менеджмент; следует уточнить; получить повышение (зд. повышение в должности); оценка уязвимости; остаточный риск; применить соответствующие меры контроля; корпоративная политика безопасности.
Ex.3. Match pairs of synonyms in the columns below.
1. assessment
2. appropriate
3. vulnerability
4. duty
5. intrusion
6. overlook
7. require
8. impact
9. mitigate
10. threat
A. responsibility
B. breach
C. demand
D. influence
E. evaluation
F. decrease
G. weakness
H. danger
I. necessary
J. ignore
Ex.4. Learn the following expressions by heart.
To perform procedures; to mitigate the risk; to assume the countermeasure against; network intrusion detection systems; potential risk; administrative control; to control access to; to evaluate the effectiveness; to identify threats; to authorize payment; to surf the Web; job duties; to grant access to; to make demands; to perform the task; to promote (somebody) to.
Ex.5. Make up a sentence with each of the expressions from Ex. 4.
e.g. to perform procedures – To assess all the risks of this enterprise we should perform all the procedures required.
Ex.6. Give explanation to the following expressions. Use dictionary, if necessary.
e.g. vulnerability – it is a weak point in the computer system through which that system can be broken in and damaged in some way by hackers or viruses
1. Risk assessment –
2. Job duties –
3.Outsourcing–
4. Access control –
5. Authorized access –
6. Firewall–
7. Fire suppression system –
8. Reimbursement –
9. Stakeholder–
10. Government–
Ex.7.Answer the questions.
1. How can you define the term “Risk management”?
2. What are the two things that risk management should include?
3. What things should be checked during the risk assessment process?
4. What things does the risk assessment process consist of?
5. What is administrative type of risk control?
6. What is logical type of risk control?
7. What is physical type of risk control?
Ex.8. Translate from Russian into English.
1. Любая компания старается принять все меры, чтобы уменьшить риски.
2. Когда они проводили оценку рисков, они не учли влияние человеческого фактора.
3. Риски возникновения опасных ситуаций возрастают, если сотрудники не выполняют свои обязанности.
4. Его выдвинули на новую должность, поэтому мы должны закрыть ему доступ к этой информации.
5. Наша система пожаротушения не работает, необходимо ее срочно починить.
6.Мы разработали такую политику безопасности, которая позволяет максимально снизить все риски, связанные с безопасностью компьютерного оборудования.
7. Наш отдел осуществляет контроль по обеспечению сотрудников предприятия всем необходимым для работы.
8. Нарушение процедур контроля технической безопасности может привести к серьезному инциденту.
9.Наиболее важный вид контроля на любом предприятии – административный, так как другие виды контроля зависят от него.
10. Вся локальная сеть предприятия находится под контролем наших системных администраторов.
Ex.9. Translate the following text.