The document discusses guidelines for public companies to establish internal control systems. It references regulations for financial holding companies, banks, securities firms, and insurance companies. It states that internal audit reports and related materials should be kept for at least 5 years. It also says companies should develop annual audit plans based on risk assessments and ensure they are implemented. The plans should cover important control operations identified in the company's internal control system.

1. • 本投影片僅供教育訓練用，如有侵權，請留言通
知，將立即刪除，謝謝。
• The slide is for education purpose only. Please leave
your comment if there is any copyright infringement.
I will delete it immediately. Thank you.

3. 法規名稱：公開發行公司建立內部控制制度處理準則
法規名稱：
•二、參考「金融控股公司內部控制及稽核制度實施辦法」
、「銀行內部控制及稽核制 度實施辦法」、「票券商內
部控制及稽核制度實施辦法」及「保險業內部控制及 稽
核制度實施辦法」規定，公開發行公司內部稽核及自行檢
查報告、工作底稿及相關資料保存年限統一為至少保存五
相關資料保存年限統一為至少保存五
年。（修正條文第十三條及第二十二條)
•十、為落實公開發行公司內部稽核單位執行年度稽核計畫
之機制，明定公司應依風險評估結果
應依風險評估結果擬訂其年度稽核計畫
應依風險評估結果
，並確實執行，且其年度稽核計畫之稽核項目範圍應涵蓋
公司於內部控制制度訂定之重要控制作業。 (修正條文第
十三條)

4. Qualitative Risk Analysis Example
教育部 TANet 網路中心導入資訊安全管理制度計畫教育訓練教材
http://cissnet.edu.tw/download_tanet.aspx

5. FMEA Output
RPN=SEV x PF x DET
PRN: Risk Priority Number
SEV:Severity
PF:Probability Factor
DET:Detection Effectiveness
Rers: http://www.siliconfareast.com/fmea_quickref.htm#table

6. Fault Tree Analysis

7. I. Risk Assessment in NIST SP-800 30
source: NIST Sp800-30

8. I. Risk Assessment in NIST SP-800 30
(cont.)
source: NIST Sp800-30

9. Risk Management
Threats
Risk
Identification
Vulnerabilities
Quantitative
Analysis
Qualitative
Analysis
Risk
Risk Analysis FMEA
Assessment
FTA
OCTAVE
Risk
Likelihood
Management
Risk
Evaluation
Impact
Acceptance
Reduction
Risk
Mitigation
Transference
Avoidance

10. Access Control

11. Access Control Conceptual Diagram
Access Control
2007/6/8
Anything
You Do Identify
Identification
Will Be Youself
Logged
Prove It
Accountability Authentication (I need to
Verify you)
Do What I
Authorization Tell You to
Do

12. TACACS+ and RADIUS Comparison
Criterion TACACS+ RADIUS
Transport TCP (reliable; more overhead) UDP (unreliable;
higher
performance)
Authentication Can be separated (more flexible) Combined
and
Authorization
Multiprotocol Supported (IP, Apple, NetBIOS, IP only
Support Novell, X.25)
Access to Supports two methods to control Not supported
Router CLI the authorization of router
Commands commands on a per-user or per-
group basis
Encryption Packet payload Passwords only
http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Devices/Chapter+9.+AAA+Accounting/Diameter+Det
ails/

13. RADIUS and Diameter Comparison
Characteristic RADIUS Diameter
Transport protocol Connectionless (UDP 1812). Connection-oriented (TCP, SCTP,
3868).
Transport security Optional IPsec. IPsec or Transport Layer Security
(TLS) is required.
Architecture Client-Server model Peer-to-peer model
State Stateless Stateful(Session ID, transaction
status)
Authentication Pre-shared key Pre-Shared key, digital certificate
PAP, CHAP, EAP PAP, CHAP, EAP
Only client to server re- Mutual re-authentication
authentication
Authorization Bind with re-authentication Re-authorization any time
Accounting Real-time accounting Real-time accounting
Confidentiality Only encrypt password Encrypt all data, or IP header(IPSec)
Integrity Poor Good
Scalability Poor Good
Extensibility Vendor-specific Public use
Security model Supports only hop-by-hop security. Supports end-to-end and hop-to-
Every hop can modify information hop security. End-to-end guarantees
that cannot be traced to its origin. that information cannot be
modified without notice.

14. XACML Policy Sample
<Policy PolicyId="SamplePolicy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-
overrides“>
<!-- This Policy only applies to requests on the SampleServer -->
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer</AttributeValue>
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
</ResourceMatch>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<!-- A final, "fall-through" Rule that always Denies --> <Rule RuleId="FinalRule" Effect="Deny"/>
</Policy>

15. SPML Scenario
http://www.computerworld.com/s/article/86225/SPML

16. Cryptography

17. 2DES Meet-in-the-Middle Attack
If DES1 encrypted output equals DES2 decrypted output, then key1 and key2 cracked
known known
Source: www.giac.org/

18. Keyed Hash HMAC
Source: http://www.unixwiz.net/

19. Algebraic Cryptanalysis
E E
Message
E

20. Null Cipher
“A re you deaf, Father W illiam !” the young m an said,
“D id you hear w hat I told you just now ?
“E xcuse m e for shouting! D on’t w aggle your head
“Like a blundering, sleepy old cow !
“A little m aid dw elling in W allington Tow n,
“Is m y friend, so I beg to rem ark:
“D o you think she’d be pleased if a book w ere sent dow n
“E ntitled ‘The H unt of the Snark?’” -
“Pack it up in brow n paper!” the old m an cried,
“A nd seal it w ith olive-and-dove.
“I com m and you to do it!” he added w ith pride,
“N or forget, m y good fellow , to send her beside
“E aster G reetings, and give her m y love.”

21. Diffie-Hellman Key Agreement Operation

22. Diffie-Hellman Key Agreement Operation

23. Security Architecture and Design

24. Zachman Framework
An Overview of Enterprise Architecture Framework Deliverables by Frank Goethals

25. DoDAF Framework
Enterprise Architecture A-to-Z

26. EAL Stats
www.commoncriteriaportal.org

27. Common Criteria Flow
an implementation-
independent Protection Category of Product
statement of security Profile (i.e., “firewalls”)
needs for a TOE type.
a set of software,
firmware and/or Target of Specific Product (i.e.,
hardware possibly Evaluation Cisco PIX 5xx)
accompanied by
guidance.
Security Vendor claims:
an implementation- Specifications and
dependent statement Target features
of security needs for a
specific identified TOE
Functional Assurance
Requirements Requirements

28. Implementation of Evaluated Products
TEST plan based on
Evaluation
stated requirements
EAL Levels
1 Functionally Tested
2 Structurally Tested
3 Methodically Tested
4 Methodically Designed, Tested, Reviewed
5 Semiformal testing
6 Semiformal verification
7 Formal verification and testing
Based on production
Certification environment
Accreditation

29. Storage Systems
http://en.wikipedia.org/wiki/Storage_area_network

30. Application Security

31. KDD Process

32. Neural Network

33. Expert System
Source:idrinfo.idrc.ca

34. Waterfall Method
http://www.softwebsolutions.com/our_process.html

35. Spiral Method
http://en.wikipedia.org/wiki/Spiral_model

36. Iterative Method
Wikipedia

37. Inheritance
Parent Class
Animal
Virtual Function Talk()
Child Class Child Class
Cat Dog
Function Talk("") Function Talk("")

38. Polymorphism
1. class Animal {
2. virtual public Talk(){ }
3. }
4. class Dog extends Animal {
5. public Talk() { speak "汪" }
6. }
7. class Cat extends Animal {
8. public Talk() { speak "喵" }
9. }
10.Function AnimalTalk( Animal objSomeAnimal)
11.{
12. objSomeAnimal.Talk; //polymophism; late binding
13.}
14.Animal objCat = new Cat;
15.Animal objDog = new Dog;
16.//Without polymorphism
17.objCat .Talk; //"喵"
18.objDog .Talk; //"汪"
19.//With polymorphism
20.AnimalTalk(objCat); //"喵"
21.AnimalTalk(objDog); //"汪"
• 在本範例中，AnimalTalk程序接受 (Accept) 屬於 Animal 型別而名為 objSomeAnimal 的參數，所以我
們可以在 run-time傳送如 Cat或Dog衍生自 Animal 類別的類別。此項設計的優點在於，您可加入衍生 可加入衍生
類別的新類別， 程序中的用戶端程式碼。
自 Animal 類別的新類別，而不需要變更 AnimalTalk程序中的用戶端程式碼
程序中的用戶端程式碼

39. 2-phase commit

40. LRCI

41. EnCase – File System

42. EnCase Timeline

43. 稽核自動化平台

44. Telecommunication and Network Security

45. Attack Tree
http://commons.wikimedia.org/wiki/File:Attack_tree_virus.png

46. Honeynet
http://www.iu.hio.no/

47. Partial Mesh as HA

48. Link Layer Encryption vs. End-to-end Encryption

49. ISDN Application

50. MPLS
http://www.isoc.org/

51. IPSec Mode - Concise
http://technet.microsoft.com/en-us/library/cc759130(WS.10).aspx#w2k3tr_ipsec_how_vvlc

52. PPTP and L2TP Data Format

53. Smurf
http://www.techexams.net

54. FDDI Dual Counter-Rotating Ring

55. Routing Protocols
Open Hop Class Authentica Category Network
less tion
RIPv1 RFC 15 No None Interior Small
1058 Distance vector
RIPv2 RFC 15 Yes Password Interior Small
2453 MD5 Distance vector Medium
IGRP Cisco 255 No None Interior Small
Distance vector
EIGRP Cisco 255 Yes Password Interior Large
MD5 Hybrid
OSPF RFC none Yes Password Interior Large
2328 MD5 Link-state Hetero
ISIS ISO Yes Password Interior Large
10589 Link-state
EGP Exterior AS-AS
Distance vector
BGP RFC CIDR MD5 Exterior AS-AS
1771 Distance vector
Cisco® Certified Network Associate Study Guide

56. Subnetting vs. supernetting
One Class C
8 contiguous Class C
http://medusa.sdsu.edu/network/CS576/Lectures/ch05_Subnetting.pdf

57. VPN – Site to Site

58. NetBios

59. War Dialer - PhoneSweep

60. Finger

61. IPP in IIS
http://secunia.com/advisories/32248/

62. LPR in XP
https://www.cs.uwaterloo.ca/twiki/view/CF/LprPrintingForWindows

63. Tapping Fiber Optics
http://i.techrepublic.com.com/blogs/Figure%20A.jpg

64. SAN
http://www.allsan.com/sanoverview.php3

65. Transmission Technology
http://www.privateline.com/PCS/Multiplexing.htm

66. BCP

67. BIA Process
Owner Impact
Business Activity
Geographic
Timescale
Extent
MTPD
RPO

68. 4.1 INCIDENT RESPONSE STRUCTURE

70. RTO < MTPD(MTD)

71. Trailer

72. Scope

73. BCM is a Balancing Act(cont.)
High Cost High Loss
recovery
strategy disruption
Cost/Loss
Cost/Loss
Cost/Loss
Cost/Loss
Cost/Loss
Cost/Loss
Cost/Loss
Cost/Loss
Cost
Cost
Cost
Cost
Cost
Cost
Cost
Cost
Optimal Lose Business
Point
Time 73

74. Physical Security

75. OS

76. Heat and cool air
http://www.adc.com/us/en/Library/Literature/102264AE.pdf

77. Data loss on transportation

78. 從漏洞到攻擊時距縮短→大幅提高攻擊成功率
source：IBM xforce report 2008