《信息系统安全风险评估案例分析.docx》由会员分享,可在线阅读,更多相关《信息系统安全风险评估案例分析.docx(10页珍藏版)》请在三一文库上搜索。
1、position-related consumption of civil servants has been swept by finance, consumer, regardless of cost, extravagance and waste in the civil service position-related consumption, abuse, corruption and embezzlement, corruption is important. Then, under the conditions of market economy, how to reform t
2、he existing civil duty consumption management, explores a source to prevent and curb the post consumption corruption way, is currently a major issue faced by honest work. Recently, I conducted research on this issue, this problem on some humble opinions. First, the existing public servants duty cons
3、umption the main problems seen from the investigation and reasons, in recent years, public servants duty consumption caused by the abuses and not a person of integrity, is one of the major problems in the party in Government, its operation order have a negative effect on the party and Government org
4、ans, seriously damaging the image of the party and the Government, undermining the relationship between party and the masses, effect, opening up and economic construction. From I County in recent years of governance situation see, positions consumption in the produced of two not phenomenon rendering
5、 four a features: a is positions consumption system lost has due of binding, right is greater than rules, and right is greater than method of phenomenon more highlight; II is in positions consumption in the Camera Obscura operation, using terms, will positions consumption into has personal consumpti
6、on, will corporate points to into personal points to, makes positions consumption in some aspects has into positions enjoy and self-dealing of means; three is to positions consumption for name, fraud, false impersonator, Trend of negative corruption phenomena such as corruption and misappropriation;
7、 four palaces, follow the fashion, rivalries, wasteful, and post consumption became a symbol of showing off their individual capacities. Caused by public servants duty consumption of many two phenomenon in which people reflect the biggest problems are: (a) the official car problems. Mainly in three
8、aspects: one is the larger buses cost expenditure. According to statistics, until November 2003, XX County township Department bus 159 cars, which department owns the bus 145 vehicles, and showed an increasing trend. Financial expenses cost per bus per year to 35,000 yuan, and in fact every cost up
9、to 50,000 yuan. Some units also hiring temporary drivers and expenditure on wages and subsidies. Necessary to keep a car, but also dependants, leading to larger expenses. Second, gongchesiyong breed unhealthy tendencies. Some people believe that now some bus drivers use one-third, one-third leading
10、private one-third used for official purposes. Some public servants, especially leading officials motoring, cars for private purposes, violating the self-discipline regulations, and even lead to traffic accidents. According to statistics from related departments, since 2004, the correct investigation
11、 in our County serves nearly 30 cars for private purposes, only the first half of this year, cars for private purposes or信息系统安全风险评估案例分析某公司信息系统风险评估项目案例介绍介绍内容:项目相关信息、项目实施、项目结论及安全建议。一、 项目相关信息项目背景:随着某公司信息化建设的迅速发展,特别是面向全国、面向社会公众服务的业务系统陆续投入使用,对该公司的网络和信息系统安全防护都提出了新的要求。为满足上述安全需求,需对该公司的网络和信息系统的安全进行一次系统全面的评估,
12、以便更加有效保护该公司各项目业务应用的安全。项目目标:第一通过对该公司的网络和信息系统进行全面的信息安全风险评估,找出系统目前存在的安全风险,提供风险评估报告。并依据该报告,实现对信息系统进行新的安全建设规划。构建安全的信息化应用平台,提高企业的信息安全技术保障能力。第二通过本次风险评估,找出公司内信息安全管理制度的缺陷,并需协助该公司建立完善的信息安全管理制度、安全事件处置流程、应急服务机制等。提高核心系统的信息安全管理保障能力。项目评估范围:总部数据中心、分公司、灾备中心。项目业务系统:核心业务系统、财务系统、销售管理统计系统、内部信息门户、外部信息门户、邮件系统、辅助办公系统等。灾备中心
13、,应急响应体系,应急演练核查。评估对象:网络系统:17个设备,抽样率40%。主机系统:9台,抽样率50%。数据库系统:4个业务数据库,抽样率100%。应用系统:3个(核心业务、财务、内部信息门户)安全管理:11个安全管理目标。二、 评估项目实施评估实施流程图:项目实施团队:(分工)现场工作内容:项目启动会、系统与业务介绍、系统与业务现场调查、信息资产调查统计、威胁调查统计、安全管理问卷的发放回收、网络与信息系统评估信息获取、机房物理环境现场勘察、系统漏洞扫描、系统运行状况核查。评估工作内容:资产统计赋值、威胁统计分析并赋值、各系统脆弱性分析、系统漏洞扫描结果分析、已有安全措施分析、业务资产安全
14、风险的计算与分析、编写评估报告。资产统计样例(图表)威胁统计分析:3大类威胁(环境、系统、人为),7子类获取威胁统计,7子类,34项;4级威胁2子类2项;3级威胁6子类16项;2级威胁5子类16项。威胁统计分析列表(1):威胁统计分析列表(2):脆弱性分析:网络问题(高风险3个,中风险2个)主机系统:13个问题(很高风险1个,高风险7个,中风险4个,低风险1个)数据库系统:11个问题(高风险7个,中风险1个,低风险3个)应用系统:5个问题(高风险3个,中风险1个,低风险1个)安全管理:13个问题(高风险6个,中风险6个,低风险1个)。脆弱性分类:网络系统口令管理、安全审计、访问控制、资源利用、
15、脆弱性管理、物理保护、应急响应、维护管理。脆弱性分类:业务系统标识与鉴别、安全审计、访问控制、安全策略配置、资源利用、恶意代码防护、脆弱性管理、传输与通信、业务连续性、物理保护、应急响应、维护管理。脆弱性分析列表系统漏洞扫描结果分析:扫描主机:10台。扫描结果:紧急风险1个(windows 2003 1个)高风险29个(Aix 27个,windows 2003 2个)中风险:22个(Aix 12个,windows 2003 10个)。漏洞扫描结果分析:风险与计算:计算原理 :风险值=R(A,T, V)=R(L(T,V),F(Ia,Va)其中,R表示安全风险计算函数;A表示资产;T表示威胁;V表
16、示脆弱性;Ia表示安全事件所作用的资产价值;Va表示脆弱性严重程度;L表示威胁利用资产的脆弱性导致安全事件发生的可能性;F表示安全事件发生后产生的损失。计算方法 :我们在该评估项目中,选择“相乘法”的风险计算方法计算业务、资产的风险值。具体的计算公式为:安全事件发生后的可能性L=T*V 安全事件发生后造成的损失F=V*A 资产的风险值Rn=L*F 业务的风险值R=Max(Rn)。 风险计算分析表:风险等级划分:各业务系统安全风险等级:、各业务系统安全风险统计图表各业务系统安全风险统计图表三、 评估结论及安全建议结论:从整体上看该公司的信息安全状况是比较好的,所有出现最高级别(5级/很高)的安全
17、风险。很高风险级别的所占比例低于30%,且为公司的非主营业务系统。公司的安全风险级别主要为“中”,占风险比列的50%存在的风险不容忽视:管理制度不完善,缺少一些必要的管理制度和规范,机房内的环境防护、安全措施、控制措施均需要加强,操作系统缺少完备的演练,管理中访问权限的控制、口令加密、SNMP协议控制、审计功能开启并配置、实时监控等问题需要强化安全管理措施。安全建议:完善安全管理制度(应急预案、系统审计、人员、安全管理等)制定其他风险级别的风险消减方案;灾备系统需要得到完备的演练;网络及业务系统的安全技术措施需要加强。 组员:章锐、龚哲、廖洋、孙阳明、赵世堂。leaders driving a
18、 vehicle accident caused by road accidents, 1, 1 people killed and direct economic losses amounting to more than 100,000 yuan. Third, high efficiency and low cost of the bus. Surveys show that, the operating costs of taxis for the 8200/. Is a fundamental priority of the reform, it is a difficult pro
19、blem that must be solved in the reform process. Clearly, the post consumption averages three years before as a base and fine-tuned on the basis of this single practices must be improved. Improvements to adhere to three principles: first, under the existing policy provisions approved for public serva
20、nts duty consumption standards, calibration, is not contrary to policy. Second, according to the local financial situation and peoples sustainability, public servants duty consumption standards approved, both financial reach, and people passing through. Third, according to the operational needs of c
21、ivil servants responsible for authorized public servants duty consumption standards, both high and low positions, but also the nature of the work and the workload. In reform of method Shang, approved civil servants positions consumption standard to big unified, and small dispersed suitable, that mos
22、t positions consumption project should according to policy provides proposed unified standard, consider to ranks, and units and the work task of differences sex, unified of standard should has elastic of and dynamic of, makes regions, and units in implementation unified standard Shi has must of flex
23、ible disposal right; but since set of standard must after financial, and audit, sector audit approved Hou to implementation. (C) reform package. Public servants duty consumption elasticity of consumption to limit consumption, turning mess into kitchen after dinner, follow the civil servant with a ho
24、w to use personal title subsidies, or how to manage a personal duty consumption use of subsidies. Therefore, we must establish and perfect with public servants duty consumption monetization reform support of the series of governance systems such as the civil service examination of responsibility, sy
25、stem, low fault investigation system, the report said. While other measures to keep up. Discipline inspection and supervision organs, financial, auditing departments should strengthen supervision and inspection of public servants duty consumption monetization reform progress, to strengthen the refor
26、m of public servants duty consumption monetization system, measures to develop and monitor the implementation of inspection, not consumption as required, even shifting consumer behavior to stop, serious cases to deal with. Three ideas, public servants duty consumption monetization reform of politics
27、, the economy and the deepening of the reform, public servants duty consumption as somewhere between a reform also demonstrated its importance and urgency. First of all, civil servants especially party and Government leaders and public servants duty consumption there are big drawbacks. NPC deputies and CPPCC members and the broad masses are concerned about. Secondly, the