Добавил:

triple666mafia north memphis Опубликованный материал нарушает ваши авторские права? Сообщите нам.

Вуз:

Санкт-Петербургский государственный электротехнический университет "ЛЭТИ"

Предмет:

Основы информационной безопасности

Файл:

лаба_10 / лаб_10_02_3.docx

Скачиваний:

Добавлен:

27.10.2025

Размер:

226.64 Кб

Скачать

☆

<<< < Предыдущая 1 2 3 4 56 / 106 7 8 9 10 > Следующая >>>

II. Recommendations

[[[One hundred seventy]]] vulnerabilities were identified which, if not corrected, could result in considerable loss to ETU.

Immediate steps which can be taken are:

[[[

Correct the fire detection and control vulnerabilities identified during the walk-through.

Publish and disseminate ETU Disaster Recovery Plan.

Develop a system-generated cover page for and improve the control of sensitive output listings.

Review the security of terminals at the Parkview Building.

Test the adequacy of current system software and user file backups.

Remind users of the importance of backing up tape files.

Provide additional training on and enforce existing security policies and procedures.

Publish and disseminate an ETU-wide policy on the handling of sensitive documents and develop a uniform cover sheet for these documents.

Review ETU staffing and separation of duties.

ETU System Security Officer, in coordination with ETU management, should develop a Risk Management Plan to address the implementation of the safeguards with the greatest return on investment.

]]]

[[[

Twelve major safeguards (see CHAPTER IX., Applicable Safeguard Cost Benefit Analysis Summary Table) were recommended which, if implemented, would substantially reduce losses if these threats occurred or prevent the threats from occurring altogether.

ETU System Security Officer should develop a Risk Management Plan in cooperation with ETU management, who will make the final decision as to the selection of applicable safeguards. The Plan will identify the specific steps required to implement the selected safeguards and recommend to ETU management the priority for safeguard implementation.

]]]

2.2 Assets within category

Assets are identified, by category, by commonly used name; associated with each individual asset there is other related information. Depending on the asset category, other data is also provided for each asset. This will include the level of sensitivity for data, the quantity of a duplicated hardware item, etc.. When the information is available, an indication is included about the basic attribute(s) of each assets that states whether the asset is

critical (in the sense that the mission of the enterprise depends on the correct and timely functioning of this asset), or

financial (with respect to the need to control modification), or

sensitive (with respect to disclosure), or

supportive (non of the above).

The definition of each asset category is also provided

The monetary values assigned represent the estimated replacement or purchase cost of the asset, not its current value. For example, the recruitment cost, the training cost, and the staff salaries and benefits were used to determine personnel costs. For leased equipment, replacement cost of obtaining a new lease is used since the organization is responsible for obtaining a replacement resource.

The value of sensitive resources could be greater than the replacement value to account for the loss of future opportunity and the extent of exposure that agencies have resulting from the disclosure of data subject to the Privacy Act; awards of $1,000 to $5,000 per individual record have been assessed by the courts based on the sanctions included in the Privacy Act of 1974.

The sections below deal, in turn, with each of the asset categories included in the analysis.

2.2.1 Accounts Payable