本帖最后由 FYIRH 于 2022-8-10 17:25 编辑
返回 ITIL 4理论与实践整体知识体系中文版发布文件汇总
需要下载最新翻译版本请关注微信公众号:ITILXF,并回复“ITIL 4信息安全管理”即可。
许多组织认为信息安全管理实践是更广泛的安全管理的专门分支。在服务经济中,每个组织的业务都是由服务驱动并具有数字功能。由于安全管理更加关注数字化服务和信息的安全,因此这可能导致学科的联系更加紧密。如果数字化转型消除了“ IT 管理”和“ 业务管理”之间的边界,则集成既可能又有用。(有关此主题的更多信息,请参见ITIL®4:高速IT)。
2.2 术语和概念
2.2.1 安全特性
● 用户名和密码通常用于对人员进行身份验证,尽管通常首选使用生物特征识别和安全令牌的更严格的身份验证。
● 网站可以使用证书和加密来提供身份验证。
2.2.2 资产,威胁,威胁参与者和漏洞
这些术语的相关关系如下:威胁参与者利用漏洞在资产上拥有影响。 威胁和脆弱性评估
Information security is becoming an increasingly important but difficult task. The information security management practice is increasingly important in the context of digital transformation. This is due to the growth of digital services across industries, where information security breaches might have a major effect on an organization’s business. The wider use of cloud solutions and the wider integration with partners’ and service consumers’ digital services creates new critical dependencies, with limited ability to control how information is collected, stored, shared, and used. Partners and service consumers are in the same situation, and usually invest in data protection and information security solutions. However, a lack of integration and consistency between organizations creates new vulnerabilities, which need to be understood and addressed. The information security management practice in conjunction with other practices (including: availability management, capacity and performance management, information security management, risk management, service design, relationship management, architecture management, supplier management and other practices) ensures that an organization’s products and services meet the required level of information security for all involved parties.
The information security management practice is considered by many organizations to be a specialized branch of wider security management. In a service economy, every organization’s business is service-driven and digitally-enabled. This may lead to a closer integration of the disciplines, as security management focuses more on the security of digital services and information. This integration is both possible and useful where digital transformation has led to the removal of the borders between ‘IT management’ and ‘business management’ (see ITIL®4: High-velocity IT for more on this topic).
2.2.1 Security characteristics
The information security management practice helps to ensure the confidentiality, integrity, and availability of the information needed to conduct business, with several activities and controls needed to preserve these characteristics. Additionally, the information security management practice is often concerned with authentication and non-repudiation.
Confidentiality is the first thing that many people think of when they consider information security. People and organizations want to ensure that their secrets remain secret, and that their personal or business information is not misused.
If the information is not available when and where it is needed, then the organization is unable to conduct its business.
The availability management practice considers many aspects of service availability. However, the information security management practice is mostly concerned with the availability of information.
Incorrect information may be worse than not having any information at all. For example, if a bank incorrectly believes that a customer has a large amount of money in their account and allows them to withdraw this, the bank might suffer from a significant loss.
Authentication is used to establish the identity of people and things. For example:
● Usernames and passwords are often used to authenticate people, although more rigorous authentication using biometrics and security tokens is often preferred.
● Certificates and encryptions may be used by web sites to provide authentication.
Non-repudiation has been used in business transactions since before the existence of IT systems and services. Traditionally, a signature would be used, and if a higher level of proof was needed then this signature might be notarized. Information security relies on non-repudiation so that transactions can occur. This is essential to preserve the integrity of information.
2.2.2 Assets, threats, threat actors, and vulnerabilities
Definition: Asset
An asset is anything that has value to an organization.
Assets may include hardware, software, networking, information, people, business processes, services, organizations, buildings, or anything else that is valuable to an organization. The information security management practice helps to protect assets so that the organization can conduct its business.
1 This definition is different from the one used for the availability management practice. Service availability is defined differently from the availability of information.
A threat is any potential event that could have a negative impact on an asset.
A threat actor is any person or organization that poses a threat.
A vulnerability is any weakness in an asset or control that could be exploited by a threat.
These terms are related in the following way: Threat actors exploit vulnerabilities to have an impact on assets. Threat and vulnerability assessments
A threat assessment is used to identify potential threats, so that the organization can take appropriate action. This assessment may involve reviewing historical information about previous attacks on the organization, recent attacks against other similar organizations, or simply predicting potential threats that could emerge in the future. The output of a threat assessment is a list of threats that the organization needs to consider in its planning. Threat assessments can be performed on a regular basis and as a check when planning changes.
A vulnerability assessment is used to identify vulnerabilities in a specific environment, service, or configuration item. This typically involves compiling a list of potential vulnerabilities and using tools to test each component in the environment, to see if that vulnerability exists. Vulnerability assessments can be performed on a regular basis, and as a check during the deployment of infrastructure or applications. There are many tools available to support vulnerability assessments and many suppliers can perform vulnerability assessments as a service.
上一篇: Practice_Service validation and testing 服务验证和测试实践下一篇: Practice_Monitoring and event management 监控和事态管理实践