Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

пр лучшие практики иб (Nist, sans, cert, isaca...)

9,876 views

Published on

Подборка "лучших практик" по информационной безопасности

Published in: Technology
  • Was a little hesitant about using ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐ at first, but am very happy that I did. The writer was able to write my paper by the deadline and it was very well written. So guys don’t hesitate to use it.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! I can recommend a site that has helped me. It's called ⇒ www.HelpWriting.net ⇐ So make sure to check it out!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

пр лучшие практики иб (Nist, sans, cert, isaca...)

  1. 1. «Лучшие практики»: ISACA, NIST, CERT, SANS и пр. Прозоров Андрей 2014-05
  2. 2. Источники «лучших практик» …
  3. 3. Самые известные…
  4. 4. ISACA • «Information Systems Audit and Control Association» • с 1969 года • Более 115 000 участников • Членство: 135$ в год + 10$ (local chapter, Ru), есть скидки для «новичков» (30$) • http://isaca.org
  5. 5. Что посмотреть? • Публикации и книги • Сертификация специалистов (CISA, CISM, CGEIT, CRISC) • Журнал (6 раз в год) • Площадка для общения и обмена опытом • Конференции, вебинары и пр. • The IT Governance Institute (ITGI)
  6. 6. Публикации COBIT 5 (комплект книг) IT Assurance Framework (ITAF) Business Model for Information Security (BMIS) Val IT Framework for Business Technology Management Risk IT Framework for Management of IT Related Business Risks
  7. 7. Прочие документы с идеями COBIT5 • Securing Mobile Devices: Using COBIT 5 for Information Security (138 стр.) • Vendor Management Using COBIT 5 (196 стр. +toolkit) • Configuration Management: Using COBIT 5 (88 стр.) • Controls and Assurance in the Cloud: Using COBIT 5 (266 стр.) • APT: How to manage the risk to your business (132 стр.) • Transforming Cybersecurity: Using COBIT 5 (190 стр.) • Responding to targeted cyberattacks (88 стр.)
  8. 8. NIST • «National Institute of Standards and Technology» (USA) • Free • http://nist.gov
  9. 9. Что посмотреть? • Все публикации - http://csrc.nist.gov/publications • Вопросы криптографии – Конкурс «Advanced Encryption Standard» (AES), 1997-2000. Победил алгоритм «Rijndael» – Конкурс «SHA-3», 2007-2012. Победил алгоритм «Keccak»
  10. 10. Публикации Federal Information Processing Standards (FIPS) security standards NIST Special Publications (SPs) SP 800-series (computer security) NIST Interagency or Internal Reports (NISTIRs) Information Technology Laboratory (ITL) Bulletins other "white papers"
  11. 11. Особо интересные NIST SP 800 • SP 800-53 Rev. 4 "Security and Privacy Controls for Federal Information Systems and Organizations“ • SP 800-53 A Rev. 1 "Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans" • SP 800-39 "Managing Information Security Risk: Organization, Mission, and Information System View" • SP 800-37 Rev. 1 "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach" • SP 800-61 Rev. 2 "Computer Security Incident Handling Guide" • SP 800-50 "Building an Information Technology Security Awareness and Training Program“ • …
  12. 12. CERT • «Computer emergency response team» • Carnegie Mellon University (CMU) • с 1988 года (с появления «Morris Worm») • http://cert.org
  13. 13. Что посмотреть? • Материалы по защите от инсайдеров http://cert.org/insider-threat • Методика оценки рисков OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) http://www.cert.org/resilience/products- services/octave • Прочие вопросы управления инцидентами и противодействия киберугрозам
  14. 14. SANS • The SANS Institute • SANS: SysAdmin, Audit, Networking, and Security • Free • с 1989 года • http://sans.org
  15. 15. Что посмотреть? • Top 20 Critical Security Controls (v.5) http://www.sans.org/critical-security-controls • OUCH! Security Awareness Newsletter (есть на русском) http://www.securingthehuman.org/resources/newsletters/ouch • SANS Information Security Reading Room http://www.sans.org/reading-room • SANS Security Policy Project (Free Security Policy Templates) http://www.sans.org/security-resources/policies • Сертификация специалистов (GIAC - Global Information Assurance Certification) • Курсы и тренинги
  16. 16. Top 20 Critical Security Controls 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Access Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training to Fill Gaps 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11: Limitation and Control of Network Ports, Protocols, and Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Protection 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises
  17. 17. PCI • «Payment Card Industry Security Standards Council» (PCI SSC) • с 2006 года • https://www.pcisecuritystandards.org • http://ru.pcisecuritystandards.org
  18. 18. Что посмотреть? • Стандарты (есть на русском): –Data Security Standard (PCI DSS) – Payment Application Data Security Standard (PA-DSS) – PIN Transaction Security (PTS) (requirements) • Обучение и сертификация
  19. 19. Группы требований PCI DSS 3.0 (2013) 1.Build and Maintain a Secure Network and Systems (Построение и обслуживание защищенной сети и систем) 2.Protect Cardholder Data (Защита данных держателей карт) 3.Maintain a Vulnerability Management Program (Программа управления уязвимостями) 4.Implement Strong Access Control Measures (Внедрение строгих мер контроля доступа)) 5.Regularly Monitor and Test Networks (Регулярный мониторинг и тестирование сети) 6.Maintain an Information Security Policy (Поддержание политики информационной безопасности) 2 2 2 3 2 1
  20. 20. И еще несколько…
  21. 21. BCI • «Business Continuity Institute» • с 1994 года • Платное членство (165$/130$/120$ в год) • http://thebci.org
  22. 22. Что посмотреть? • Сертификация специалистов по BCM • Good Practice Guidelines 2013 (free for members) • Журнал (выходит 4 раза в год) - http://thebci.org/index.php/resources/continuity-magazine • Knowledge Bank • Курсы и тренинги
  23. 23. BSI (de) • «Bundesamtes für Sicherheit in der Informationstechnik» (BSI) • The Federal Office for Information Security (BSI) is to promote IT security in Germanу • c 1986, формально утвержден с 1990 • http://bsi.bund.de
  24. 24. Что посмотреть? IT Grundschutz Standards: • BSI Standard 100-1 «Information Security Management Systems (ISMS)» • BSI-Standard 100-2 «IT-Grundschutz Methodology» • BSI-Standard 100-3 «Risk Analysis based on IT-Grundschutz» • BSI-Standard 100-4 «Business Continuity Management» • Threat catalogue T 0 “Elementary Threats” International: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGr undschutzInternational/intl.html 2008 г.
  25. 25. OCEG • «Open Compliance and Ethics Group» • с 2002 года • Все про GRC (стандарты, схемы и пр.) • Платное членство (300$/399$/750$ в год) • http://oceg.org
  26. 26. Что посмотреть? • Стандарты: –GRC Capability Model (Red Book) v.2.1 2012, можно скачать бесплатно после регистрации – GRC Assessment Tools (Burgundy Book) – GRC Technology Solutions Guide – GRC-XML Spec and Schema
  27. 27. ISM3 • «The Open Group Information Security Management Maturity Model» (O-ISM3) • http://ism3.com • https://collaboration.opengroup.org/projects/ security/ism3
  28. 28. Что посмотреть? • Free online downloads: – O-ISM3 standard – Optimizing ISO/IEC 27001 using O-ISM3
  29. 29. И совсем редкие, но полезные материалы…
  30. 30. Прочие ссылки • Information Security Forum (ISF) https://www.securityforum.org • European Union Agency for Network and Information Security (ENISA) http://www.enisa.europa.eu • The Building Security In Maturity Model (BSIMM) http://www.bsimm.com • The Generally Accepted Information Security Principles project (GAISP) http://all.net/books/standards/GAISP-v30.pdf • International Standard on Assurance Engagements (ISAE) No. 3402 http://isae3402.com • The Data Management Association International (DAMA) http://www.dama.org • Agence nationale de la sécurité des systèmes d’information (ANSSI, France) http://www.ssi.gouv.fr/en
  31. 31. + Бонус. Глоссарии • NIST http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf • ISACA http://www.isaca.org/Knowledge-Center/Documents/Glossary/glossary.pdf • PCI DSS https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_Final_v3.pdf • SANS http://www.sans.org/security-resources/glossary-of-terms • ITIL http://t.co/IQysDbOB3p

×