信息安全与风险管理

　　脆弱性是安全措施的缺失或可能被利用的弱点。

A vulnerability is the absence of a safeguard(in other words,it is a weakness)that can be exploited.

　　威胁是某人或某物有意或无意地利用某种脆弱性并导致资产损失的可能性。

A threat is the possibility that someone or something would exploit a vulnerability,intentionally or accidentally,adn cause harm to an asset.

　　风险是威胁因素利用脆弱性的可能性以及由此可能带来的潜在损失。

A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.

　　减少脆弱性和降低威胁就可以降低风险。

Reducing vulnerabilities and/or threats reduces risk.

　　暴露是由于威胁而遭受损失的实例。

An exposure is an instance of being exposed to losses from a threat.

　　对策，也称为安全措施，能够减轻潜在风险的威胁。

A countermeasure,also called a safeguard,mitigates the risk.

　　对策可以是应用程序、软件配置、硬件或规程。

A countermeasure can be an application, software configuration,hardware,or procedure.

　　如果某人行使“应用的注意”，说明他对自己的行为负责；如果出现安全入侵，他被发现失职和承担责任的可能性更小。

If someone is practicing due care,they are acting responsibly and will have a lower probability of being found negligent and liable if a security breach takes place.

　　安全管理在最近几年已经变得越来越重要了，因为网络已从集中化环境发展为分布式环境。

Security management has become more important over the years because networks have evolved from centralized environments to distributed environments.

　　安全计划的目标是为数据和资源提供机密性、完整性和可用性。

The objectives of security are to provide avalibility,integrity,and confidentiality protection to data and resources.

　　策略规划是长期规划，战略规划是中期规划，运作规划是日常规划。它们组成一个远景规划。

Strategic planning is long term,tactical planning is midterm,and operational planning is day to day.These make up a planning horizon.

　　ISO 17799是一组内容全面的控制措施，包括信息安全方面的最佳实践，并为如何制定和维护安全计划提供指导。

ISO 17799 is a comprehensive set of controls comprising best practices in information security and provides guidelines on how to set up and maintain security programs.

　　安全组件可以是技术性组件（防火墙、加密以及访问控制列表），也可以是非技术性组件（安全策略、规程及强制遵守）。

Secirity components can be technical(firewalls,encryption,and access control lists)or nontechnical(security policy,procedures,and compliance enforcement).

　　资产标识应涉及有形资产（设备、硬件）和无形资产（企业数据、声誉）。

Asset identifiaction should include tangible assets(facilities,hardware) and intangible assets(corporate data,repuation).

　　评估项目规模是指理解和记录项目的范围，必须在进行风险分析之前执行。

Project sizing,which means to understand and document the scope of the project,must be done before a risk analysis is performed.

　　担保是确保提供了某种安全级别的信心程度。

Assurance is degree of confidence that a certain security level is being provided.

　　CobiT是一个框架，它定义了应该用于正确管理IT并确保IT满足商业需求的控制措施的目标。

CobiT is a framework that defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs.

　　CobiT分为四个领域：计划和组件、获取和实施、交付和支持，以及监控和评估。

CobiT is broken down into four domains:Plan and Organize, Acquire and Implement,Deliver and Suport,and Monitor and Evaluate.

　　ISO 17799:2005是BS7799第一部份的最新版本。

ISO 17799:2005 is the newest version of BS7799 part 1.

　　ISO 27001:2005是BS7700第二部份的最新版本。

ISO 27001:2005 is the newest version of BS7700 part 2.

　　ISO 27001:2005定义了制定和维护安全计划的步骤。

ISO 27001:2005 provides the steps for setting up and maintaining a security program.

　　ISO 17799:2005提供一组可用在ISO 27001:2005定义的框架中的控制措施。

ISO 17799:2005 provides a list of controls that can be used within the framework outlind in ISO 27001:2005.

　　安全管理应该从上到下执行，从高级管理层到普通职员都要执行。

Security management should work from the top down,from senior management down to the staff.

　　治理是董事会和执行管理层履行的一组责任和实践，其目标在于提供策略指导，确保目标得以实现，风险得到适当管理，并证明企来的资源得理合理的利用。

Governance is the set of responsibilities and practices execised by the board and executive management with the goal of providing strategic direction,ensuring that objectives are achieved,ascertaining that risks are managed appropriately,and verifying that the enterprise’s resources are used responsibly.

　　一个公司选择的安全模型取决于公司的业务类型及其关键任务和目标。

Which security model a company should choose depends on the type of business,its critical missions,and its objectives.

　　OECD是一个帮助不同的政府展开合作，处理全球化经济所面临的经济、社会和管理挑战的国际组织。

The OECD is an international organization that helps different governments come together and takle the economic,social,and governance challenges of a globalized economy.

　　风险可以被转移、规避、减小和接受。

Risk can be transferred,avoided,reduced,or accepted.

　　公司购买保险就是风险转移的例子。

An example of risk transference is when a company buys insurance.

　　减小风险的一种方法是改善安全规程或实行安全措施。

Ways to reduce risk include improving security procedure and implementing safeguards.

　　威胁×脆弱性×资产价值＝总风险

Threats * vulnerability * asset value = total risk

　　（威胁×脆弱性×资产价值）×控制间隙＝剩余风险

(Threats * vulnerability * asset value) * controls gap = residual risk

　　风险分析的主要目标如下：确定资产及其价值，确定脆弱性和威胁，量化潜在威胁的影响程度，在风险影响和安全措施成本之间达到经济上的平衡。

The main goals of risk analysis are the following:identify assets and assign values to them,identify vulnerabilities and threats,quantify the impact of potential threats,and provide an economic balance between the impact of the risk and the cost of the safeguards.

　　信息风险管理（IRM，infromation risk management）是指确定、评估风险、将风险降代到可接受的水平，并实施适当的机制以维持这种风险水平的过程。

Information risk managment(IRM) is the process of identifying,assessing,and reducing risk to an acceptable level and implementing the right mechanismsto maintain that level of risk.

　　失效模式及影响分析（FEMA）是一种确定功能，确认功能失效，并通过一个结构化的过程评估失效原因和失效影响的方法。

Failure Modes and Effect Analysis(FMEA) isa method for determining functions,identifying functional failures,and assessing the causes of failure and their failure effets through a structured process.

　　故障树分析是一种有用的方法，用于检测复杂环境和系统中可能发生的故障。

A fault tree analysis is a useful approach to detect failures that can take place within complex environments and systems.

　　定量的风险分析尝试给分析中的各个要素确定货币价值。

A quantitative risk analysis attempts to assign monetart values to components within the analysis.

　　纯粹的定量风险分析是不可能的，因为它要量化的是定性的项目。

A purely quantitative risk analysis is not possible because qualitative items cannot be quantified with precision.

　　在进行风险分析时，了解不确定性非常重要，因为它表明团队和管理层对于分析数据的信心程度。

Capturing the degree of uncertainty when carrying out a risk analysis is important,because it indicates the level of confidence the team and management should have in the resulting figures.

　　在确定信息价值的时候，应该考虑如下问题：获取和开发这些数据的成本；维护和保护这些数据的成本；这些数据对其所有者、用户和竟争对手的价值；在丢失的情况下的替换费用；其它人愿意为这些数据支付的价格；这些数据的用处。

When determining the value of information,the following issues must be considered:the cost to acquire and develop data;the cost to maintain and protect data; the value of the data to owners,users,and adversaries;the cost of replacement if the data is lost;the price others are willing to pay for the data;lost opportunities; and the usefulness of the data.

　　有自动风险分析工具，它们可以降低风险分析中的手动工作量。这些工具估算将来的预期损失，并计算各种不同安全措施的好处。

Automated risk analysis tools reduce the amount of manual work involved in the analysis.They can be used to estimate future expected losses and calculate the benefits of different security measures.

　　单次损失期望值（SLE）是某个特定的威胁因素利用脆弱性可能造成的损失量。

Single loss expectancy(SLE) is the amount that could be lost if a specific threat agent exploited a vulnerability.

　　看损失期望值＝单次损失期望值×年发生概率（ALE=SLE×ARO）。

Single loss expectancy * frequency per year = annualized loss expectancy(SLE * ARO =ALE)

　　定性的风险分析使用判断和直觉，而不是数字。

Qualitative risk analysis uses judgment and intuition instead of numbers.

　　定性的风险分析设定风险的情况，让那些有这方面经验，接受过这方面教育的人估计每种风险的可能性、潜在损失和严重性。

Qualitative risk analysis involves people with the requisite experience and education evaluating threat scenarios and rating the probability,potential loss,and severity of each threat based on their personal experience.

　　Delphi技术是一种群体决策的方法，其中的每一个成员都进行不记名投票。

The Delphi thchnique is a group decision method where each group menber can communicate anonymously.

　　在选择正确的安全措施减少某个特定的风险的时候，应该评估一下成本、功能和功效，并且需要进行成本/收益分析。

When choosing the right safeguard to reduce a specific risk,the cost,functionality,and effectiveness must be evaluated and a cost/benefit analysis performed.

　　安全策略是管理层规定的安全在本机构中扮演的角色的陈述。

A security policy is a statement by management dictating the role security plays in the organization.

　　规程是详细的、逐步的行为规范，应该遵守这些规范来完成特定的任务。

Procedures a detailed setp-by-step actions that should be followed to achieve a certain task.

　　标准详细说明如何使用硬件和软件，它们一般是强制性的。

A standard specifies how hardware and software are to be used.Standards are compulsory.

　　基线提供了一个环境中可以接受的最小安全等级。

A baseline is a minimum level of security.

　　方针是一些推荐和一般性的方法，它们提供建议和适应性。

Guidelines are recommendations and general approaches that provide advice and flexibility.

　　工作轮换是一种检测欺诈性活动的控制方法。

Job rotation is a control to detect fraud.

　　职责分离确何没有人能够完全控制一项活动和任务。

Separation of duties ensures no single person has total control over an activity or task.

　　强制性渡假是一种可用于检测欺诈性活动的控制方法。

Mandatory vacations are a control type that can help detect fraudulent activities.

　　知识分割与双重控制是责任和控制分离的两种方工。

Split knowledge and dual control are two aspects of separation of duties.

　　数据分级将为数据分配优先级，从而保证提供了合理的保护级别。

Data is classified to assign priorities to data and ensure the appropriate level of protection is provided.

　　数据所有者规定数据的分级。

Data owners specify the classification of data.

　　安全具有功能需求，它规定一个产品和系统的期望行为；以及担保要求，它确定安装的产品或整个系统的可靠性。

Security has functional requierments,which define the expected behavior from a product or system,and assurance requirements,which establish confidence in the implemented products or systems overall.

　　安全计划应该融入当前的商业目标和目的之中。

The security program should be integrated with current business objectives and goals.

　　管理人员应该定义安全管理的范围和目的，提供支持，指定安全团队，委托责任以及查看安全团队发现的结果。

Management must define the scope and purpose of security management,provide support,appoint a security team,delegate responsibility,and review the team’s findings.

　　安全团队应付该是来自公司内部各个不同部门的人员，而不应该只是技术人员。

The risk management team should include individuals from different departments within the organization,not just technical personnel.

　　定性的分析级别可以用高、中、低的方式表述，也可以用一到五或是一到十的等级表述。定量分析的结果应该用货币数量和百分比来描述。

A qualitative rating would be expressed in high,medium,or low,or on a scale of 1 to 5 or 1 to 10. A quantitative result would be expressed in dollar amounts and percentages.

　　安全措施应该默认具有最低的权限，拥有自动防故障装置和否决能力。

Safeguareds should default to least privilege,and have fail-safe defaults and override capablities.

　　安全措施应该被统一贯彻执行，每一个人都有相同的限制和功能。

Safeguards should be imposed uniformly so everyone has the same restrictions and functionality.

　　在开始实施安全计划的时候，一个关键的要素就是规定报告联系制度。

A key element during the initial security planning process is to define reporting relationships.

　　数据管理员（信息管理员）负责维护和保护数据。

The data custodian(information custodian)is responsible for maintaining and protecting data.

　　安全分析员在策略层面上工儿，帮助制定策略、标准和方针，并设置各种基线。

A Security analyst works at a strategic level and helps develop policies,standards,and guidelines,and also sets various baselines.

　　应用程序所有者负责规定谁能够访问他们应用程序，以及这些应用程序为它们处理的数据和公司提供的保护等级。

Application owners are responsible for dictating who can and cannot access their applications,as well as the level of protection these applications provide for the data they process and for the company.
本文出自 “虚拟的现实” 博客，转载请与作者联系！