【導讀】inferred.owners.

　　

【正文】 nment ? Providing security management process flows that affect the management of security interests in terms of the confidentiality, integrity, and availability of all IT systems ? Identifying options for reducing data security risks within an anization ? Providing highlevel remendations on securing information ? Developing an asset classification scheme ? Providing details on establishing a program for security monitoring, security auditing, and reporting The following elements are outside the scope of this SMF: ? Calculating the probability and impact of risks, because the Security Risk Management Guide, available at covers this in detail ? Identifying and valuing assets, because the Security Risk Management Guide discusses this ? Assessing vulnerabilities, because the Security Risk Management Guide discusses this ? Specifying regulatory pliance, because this guide covers generic security pliance best practices and not geopolitical specific requirements ? Specifying physical security and personal safety policies, because the focus of this document is IT operations security management ? Providing a detailed discussion of risk assessment and management, because the Security Risk Management Guide discusses this ? Defining specific events to monitor ? Providing a detailed discussion of the elements of a defenseindepth security policy Key Definitions This document is also a reference source. An understanding of the following key terms will help clarify the materials. Some of these terms have more than one meaning。 within the IT profession there is disagreement about the definitive meaning of some of these terms. The intention is not to provide an official definition but rather to define the use of these terms within this SMF. Security Program Security program is a collective term for the implementation of the integrated ponents that relate to the conception, design, deployment, and maintenance of anizational security. The program incorporates the elements described in this SMF, including: ? Policies. ? Awareness programs. ? Security risk management processes. Service Management Function 9 ? Asset classification. ? Security monitoring and security auditing. ? Incident response. ? Key performance indicators. Control In this SMF, the terms control and controls describe a variety of processes, procedures, or tools for reducing risk to an acceptable level. When a risk is identified, the anization must assess its potential impact, prioritize its importance, identify the options for managing the risk, and assess the business value of introducing a mitigating control. Specifically, controls are security tools, programs, policies, restrictions, and other methods used to mitigate identified risks. Examples of controls include such elements as: ? Documented processes and procedures to manage security incidents. ? An intrusion prevention system. ? The configuration of security options and settings for systems or applications. A firewall is an example of an intrusion prevention system. After identifying and assessing the risk associated with unauthorized external access to an internal work, a technician can configure a firewall to segregate one portion of a work from another, allowing only authorized work traffic to pass through according to traffic filtering rules. The configuration of security settings can make an environment more secure by limiting the authority of users to access systems, or by enforcing a security policy that forbids or restricts user activity. Organization The terms anization and anizations represent a logical or physical grouping of people. These groupings include businesses, corporations, agencies, panies, and conglomerates. Policy The terms policy and policies represent a variety of written sources that direct security practices within an anization. Policies are statements that reflect an anization’s attitude toward security and how it affects the anization, or that detail specific security issues. Policies are usually broad statements that cover general security concerns. A policy represents the anization’s directives on remended and acceptable practices for ensuring the security of information. Policies are usually highlevel descriptions that do not change frequently. Standards and guidelines define what the benchmarks are, whereas procedures generally provide prescriptive guidance. Procedures can be stepbystep instructions and are likely to change more frequently than policies. Examples of policies include: ? Email security, outlining the rules governing a secure environment for users and administrators of the service. ? Network security, identifying directives for securing work access and standards of work usage. 10 Security Management ? System security, dictating the requirements for operational security, such as virus management. Risk The term risk refers to the probability of an event occurring, and its consequences. (In the context of this SMF, the event would be a security issue.) Risks can be assessed using quantitative or qualitative measures. The process of assessing a risk identifies the risk and its impact on an anization or group. An anization can manage risk by determining an acceptable level of risk, assessing the current level of risk, taking steps to reduce the risk to the acceptable level, and maintaining that level of risk. Stakeholder Stakeholders monly are individuals and groups who work in an anization and have an interest in how security affects the operational environment. Stakeholders might also be external to an anization, for example customers and business partners. It is important to identify and involve the stakeholders when planning, implementing, and monitoring security projects. Stakeholders have a major interest in an issue, project