Professional Documents
Culture Documents
Dipl Ergasia Am14
Dipl Ergasia Am14
Uploaded by
vasdermOriginal Title
Copyright
Available Formats
Share this document
Did you find this document useful?
Is this content inappropriate?
Report this DocumentCopyright:
Available Formats
Dipl Ergasia Am14
Dipl Ergasia Am14
Uploaded by
vasdermCopyright:
Available Formats
2012
:
:
. .
. .
, 2012
3
. ,
Vidavo .
,
. ,
.
,
2012
.
.
.
.
,
.
.
.
,
.
. ,
.
: ,
, , ,
.
Abstract
The use of information systems is increasing, most organizations now rely for
their operation. Achilles heel of these is safety. This study presents the main issues
concerning the Security of Information Systems, and estimated as an example of a
security company specializing in telemedicine. In the first phase included the concept
of security policy in the wider field of Information Security Management Systems, the
feasibility of developing and implementing a security policy as described and the
basic characteristics. The implementation methodology of the study is given as also
the definition scope of it. Also is described and given the current situation in the
company and the mapping of web services and applications. Next are identifying the
basic principles for the development of Security Policy of Information Systems, is
clarifying the legal framework for the protection of medical data and their privacy.
The next section concerns the application of security policies into the company and
records the necessary steps for successful and effective implementation. Finally,
describe the Contingency plan and Recovery system for disasters and implement a
Risk management plan.
Key words: Information Systems, Information Security Management Systems,
Security Policy, Contingency and Recovery plan, Risk management plan.
I.
(.),
,
.
:
1
.
2 .
.
3 .
4
. ,
,
. .
5 .
6
.
7 .
8
,
.
9 .
10 .
11 .
..................................................................................................................................... 5
I. ................................................................................................................................. 7
II. ............................................................................................................. 11
III. ..................................................................................... 12
IV. .............................................................................................................................. 13
1. ........................................................................... 17
1.1 .................................................................................................................................. 17
1.2 ...................................................................................... 18
1.3 .. ........................................................................................... 19
1.4 ................................................. 20
1.5
.......................................................................................... 21
1.5.1 .................................................................................. 22
1.5.2 ............................................................................... 23
1.5.3
BPL................................................................................................................ 24
1.6 ................................................................................................................ 24
2
.................................................................................. 26
2.1 1 ........................................................... 26
2.2 2 ............................................................................. 27
2.3 3 .......................................................................................... 29
2.4 4 ..................................................................... 31
2.5 5 ............................................................................... 32
...................................................................................................... 34
................... 36
4.1 ( COMPUTER ROOM & LAB ) 36
4.2 ...................................................................................................... 38
4.2.1 Vida 24 ........................................................................................................... 38
4.2.2 Vidatrack ........................................................................................................ 42
4.2.3 Vida ............................................................................................................. 44
4.2.4 Vidahome........................................................................................................ 47
4.3 .............................................................................................................. 49
4.4 ....................................................... 50
4.4.1 ......................................................................................................................... 50
4.4.2 .............................................................................................. 50
4.4.3 ................................................................................................................ 51
4.4.5 .................................................................................................................... 51
4.4.6 ...................................................................................................... 51
5 ............................................. 52
5.1 ..................................................................................... 52
5.2 .................................. 52
5.3 .................... 53
5.4 ............................... 55
5.5 ................................................. 56
6 ...................... 60
6.1 . ...................... 60
6.2 ................................................................................................................ 63
6.3 .................................................................................. 64
7
............................................................ 65
7.1 ........................................................................................................ 65
7.2 - ...................................................................... 65
7.3 ...................................................................... 68
7.4 ..................................................................................... 69
7.5
............................................................................................................................................. 70
7.6 ............................................................... 76
7.7 ...................................................................... 77
7.8 .............................................................................. 78
8
........... 83
8.1 ......................................................................................... 83
8.2 VIDAVO ..................................................................... 85
8.2 ....................................................................... 89
8.2.1 ................................................................................ 89
8.2.2 ..................................................................... 90
8.2.3 ...................................................................................... 93
8.2.4 ........................................................... 96
................................................................................ 106
9.1 ......................................................................................................... 108
9.2 .................................................................................................... 109
10
............................... 110
11
- ............................................................................................ 114
12
.................................................................................... 115
- ........................................................ 117
10
II.
1. 2004-2011 ........................................ 14
2. DBIR (DATA BREACHES INVESTIGATION REPORTS) .................. 15
3. 2004-2011. ....................................................................... 16
4. . ................................................................................................. 20
5. () ....................................................... 22
6. . ...................................... 23
7. .................................................................................. 37
8. .. VIDAVO .......................................................................................... 38
9. VIDA24 ........................................................................... 39
10. VIDATRACK. ................................................................. 43
11. VIDA . ...................................................................... 45
12. . ................................................................... 48
13. ....................................................................... 57
14. . .......................................................................................................... 67
15. ......................................................................................................... 75
16. . ..................................................................................................... 76
17. . ..................................................................................................... 93
18. . ....................................................................................... 96
19. FIREWALL . ............................................................................. 101
20. DMZ ...................................................................................................................... 104
21. DMZ . .................................................. 104
22. IDPS ......................................................... 105
11
III.
CERT
CRAMM
DAC
DBIR
DMZ
DOS
DPR
DSS
EIS
EMR
EPROM
ERM
ERP
ES, KBS
FTP
FVC
GPS
GSM
HER
HLS
HTTP
ISMS
ISO
ITSEC
MAC
MIS
PDA
RAC
RFID
RPC
SNMP
SSL
TCP/IP
TCSEC
TLS
UPS
URL
/
..
..
Computer Emergency Response Team
CCTA Risk Analysis and Management Method
Discretionary Access Control
Data Breach Investigation Report
DeMilitirised Zone
Disk Operating System
Electronic Medical Records
Erasable Programmable Read Only Memory
Enterprise risk management
File Transfer Protocol
Forced Vital Capacity
Global Positioning System
Global System for Mobile communications
Electronic Health Records
Health Level Seven
Secure Hypertext Transfer Protocol
Information Security Management System
International Organisation of Standardization
Information Technology Security Evaluation Criteria
Mandatory Access Control
Personal Digital Assistant
Role-based Access Control.
Radio-frequency identification
Remote Procedure Call
Simple Network Management Protocol
Secure Socket Layer
Transmission Control Program/Internet Protocol
Trusted Computer System Evaluation Criteria
Transport Layer Security
Uninterrupted Power Supply
Universal Resource Locator
12
IV.
, Internet
.
.
,
.
.
.
(Data Breach Investigations Report, DBIR)
2004, , 2011
.
2011 .
, .
2011 .
, , .
.
Verizon,
,
CERT (Computer Emergency
Response Team), 90%
60%
.
,
Verizon ,
,
,
,
2011 98%
,
, , 4%.
13
1. 2004-2011
.
, hackers,
.
, ,
.
. , .,
.
. , ,
, , .
.
() (malware),
() o hacker
(social),
() (misuse)
() (physical and environmental)
14
() (errors).
(hackers)
(malware).
2. DBIR (Data Breaches Investigation Reports)
15
Verizon 2011
hacktivism 87% - 99%
.
,
, .
2011.
3. 2004-2011.
,
16
,
.
,
.
,
, .
, Vidavo.
.
1.
1.1
. Vidavo,
,
.
17
,
,
,
.
:
T .
.
1.2
,
,
.
18
1.3 ..
.., :
(Integrity):
,
, /
. ,
.
(Availability):
,
.
(DOS attack),
, .
. :
Slashdot,
,
, .
(Confidentiality):
.
. :
. 2006
480 80%
.
19
4. .
1.4
,
,
.
, :
.
.
,
.
.
20
, ,
.
1.5
. ,
(Risk Analysis) (standards)
.
:
, ,
.
: ,
.
:
= x
:
. .
:
.
,
.
21
5. ()
1.5.1
, :
()
()
()
()
()
22
6. .
1.5.2
, ,
. SBA (Security By
Analysis), MARION CRAMM (CCTA Risk Analysis and Management
Method). ,
.
,
.
23
,
.
1.5.3 BPL
: B > P * L
BPL :
=
P =
L =
,
.
.
,
BPL.
.
.
.
.
1.6
/
(controls) (countermeasures)},
, ,
,
.
24
4 :
() :
() : ,
() : ,
() :
.
,
- ,
up-to-date
.
,
,
(disaster recovery plan),
(contingency action plan). ( )
.
.
25
, .
2.1 1
, (assets) .
:
(Data assets): ,
DNS server.
(End User Services):
.
.
:
, , ,
.
: ,
(software):
.
,
, .
. ,
26
,
.
2.2 2
(assets)
, .
(..).
, (exposures)
, (vulnerabilities) (threats)
(control).
BPL
,
.
(.. BLP,
Biba, )
.
(Risk Analysis)
:
1:. (threats)
.
.
2.: (vulnerabilities).
.
.
3. (losses).
,
27
, ,
.
4. .
,
.
5. /
(countermeasures) . 3
,
( ).
.
6.
(cost effective) .
,
, , .
.
(Risk analysis) ,
(computer security) , ,
(network security), (physical security)
. ,
(logical infiltration),
(communications infiltration),
(failures of equipment) (physical threats) . ,
.
(logical
infiltration) .
(,
, ..). (database security)
.
28
(communications infiltration),
.
,
. ,
,
.
. ,
,
.
2.3 3
.
.
.
,
, .
(
, ) (,
, , sockets ..),
(roles and responsibilities).
(standards), TCSEC ITSEC.
.
.
.
:
(Assets): , .
29
(Roles and Responsibilities):
.
(Security policy objectives):
.
(Scope of Security Policy):
,
. ,
.
, (Guidelines):
, ,
, , ,
, .
, , (Culture, legislation, other policies):
, , ,
.
- (Implementation and
application of the security policy Awareness, enforcement, breach):
.
(Review and audit):
,
, .
(rules)
, (
), ,
,
, .
,
,
.
( , .)
.
30
2.4 4
.
:
..
..,
,
..
. ,
..
..
(Application
development and maintenance),
(Vendor support-contracts reliability),
(hardware and software inventory).
,
.
(Classification of data).
31
,
:
, ,
..
. , ,
,
.
.
:
1. .
2. .
.
3. .
.
4. .
,
, .
,
,
. UniPlan
.
2.5 5
,
32
( / )
. : ) )
.
:
.
.
(critical functions and systems) ,
(protection strategy),
,
.
,
,
.
,
(, , , .). ,
,
(disaster recovery facility),
(alternate site).
33
,
.
.
,
.
.
, ,
,
.
:
servers
, Computer room
. servers
(backups) .
Windows server 2000 Red hat
Enterprise Linux.
servers
, Lab,
/ . servers
.
.
,
, :
34
Backup:
.
Vida 24:
.
Vida track:
(, , , )
Vida :
, .
Vida Shop, Vidahome, pmp,
Mobile applications (Vida 24 mobile, Vidahealth mob) Pc Applications
( Bluetooth,
server)
,
. :
.
:
,
:
, /
35
4.1 ( computer room
& lab )
,
,
.
(computer room)
. ,
, (backup servers,
database server, file server .)
Windows 2003 Server, Linux .
.
Vida24, Vida, Vidahome Vidatrack.
file servers
.
Eset Smart Security antivirus ,
firewall, antispyware antispam. , backup
Seagate Windows. server
Linux, Anticlam firewalls D OSSEC,
Windows backups n Linux server.
Vidavo
,
( ).
(hacking).
.
.
(servers)
, data center
. Windows
2000 Redhat Enterprise Linux.
36
servers , rack ,
(lab)
, / ,
antivirus.
H Vidavo ,
antivirus
.
firewall, antivirus
,
.
7.
37
4.2
,
, .
4.2.1 Vida 24
4.2.1.1
VIDAVO
.
,
. vida24
,
, ,
, .
,
:
8. .. Vidavo
38
4.2.1.2
,
(, , ,
, , ) &
.
Bluetooth
( , Smartphone, H/Y)
, (24 )
.
( )
,
,
.
9. Vida24
39
4.2.1.3
,
.
,
(.. ).
.
,
. modem
&
.
2
.
,
:
email fax
.
4.2.1.4
( , , & ),
,
.
,
,
40
, , , ,
,
,
( )
:
.
,
.
,
.
.
.
.
.
.
.
.
,
.
,
,
.
( )
41
,
,
,
.
. ,
.
4.2.2 Vidatrack
4.2.2.1
VIDAVO
(, , , )
vida24..
vidatrack
Alzheimer ( ) .
4.2.2.2
, (, , ,
, ) ,
GPS GSM ,
. panic
button .
/
.
42
1 (alert button)
,
( SOS) ,
,
( ).
(/,
Smartphone)
SMS
.
2 (location tracking)
Alzheimer( )
GPS Tracker ( ),
() .
,
,
.
10. Vidatrack.
4.2.2.3
Vidatrack
/ ,
, Alzheimer
43
/ .
/
. ,
.
Alzheimer (
), , , - at
risk patients, , .
.
.
4.2.3 Vida
4.2.3.1
Vida
, .
(web-based) ,
, ,
DSM- IV-TR ,
.. ..
:
()
() -
()
44
11. Vida .
,
, .
:
(
),
( / / , /
)
, .
4.2.3.2
1
(
), ( /
/ , / ) .
vida
.
45
,
. ,
.
, .
. ,
, ,
, , ,
,
.
2
, .
(, , )
, .
.
, ,
/ ,
, .
,
, , .
4.2.3.3
Vida ,
/
.
46
,
,
,
,
,
.
, ,
,
,
-
.
4.2.4 Vidahome
4.2.4.1
vidahome
. vidahome
.
4.2.4.2
,
() .
.
,
, ,
.
47
,
.
,
.
12. .
4.2.4.3
Vida home
,
.
. ,
,
.
.
48
4.3
, .
(),
web based ,
. /
,
(/ PDA/ laptop/ netbook/ PC) ,
.
/,
(HL7, ECG-SCP) :
Online
/
49
/ , PDA/laptop/netbook /PC
.
. /,
.
, (
)
-
.
4.4
4.4.1
.
.
, ,
.. -
.
.
4.4.2
.
50
. ,
'
,
.
4.4.3
.
. ,
Vida
.
,
,
.4.4.4
/
,
panic button .
4.4.5
.
. , , ,
, ,
.
4.4.6
, ,
, .
, . ,
51
,
.
5
5.1
()
,
.
, .
,
,
. ,
. ,
, ,
.
, ,
.
, ,
/ ,
,
5.2
1.
52
.
.
2.
.
(www)
SSL (Secure Sockets Layer) ,
S/MIME, PEM (Privacy Enhanced Mail) PGP (Pretty Good Privacy)
SET (Secure
Electronic Transaction).
3.
,
.
,
.
5.3
,
,
.
,
, ,
.
, ,
.
,
.
,
.
53
:
1.
, ,
.
2.
, ,
.
3.
..
.
4.
.
5.
.
6.
, 24 24.
.
7.
.
8.
,
. ,
.
9. ()
.
.
54
10.
,
,
.
11. ,
(, ) ,
.
5.4
.
, :
/
.
/ ,
,
,
. ,
/
. ,
,
.
55
/
,
.
/
(, ,
) (web account),
.
/
,
,
, .
.
5.5
(encryption),
(authentication) ,
.
.
,
,
.
56
,
.
,
.
. ,
, (firewalls),
.
, (servers)
,
/ .
,
.
13. .
57
,
.
.
.
.
,
.
, ,
.
.
.
: RSA, Diffie Helman El Gamal
, 3DES(Data Encryption Standard), AES (Advanced
Encryption Algorithm), Blowfish, CAST .
( , ,
, .),
(user ID), .
. ,
user IDs .
user ID
, ,
.
,
.
.
58
, ,
.
.
, ,
, .
,
,
. ,
.
.
e-mail e-mail scanner.
(memory resident)
. ,
o
.
.
,
.
.
.
59
antivirus
.
. .
.
.
,
, .
.
.
.
6
6.1 .
VIDAVO
.
, ,
.
, . 2472/97 . 2774/99 .
60
.
.
.
,
.
, ,
.
,
,
.
, 95/46/,
. 2472/97 ,
.
, ,
, .
:
1.
:
() ,
()
,
() ,
,
.
61
2.
, :
()
.
.
.
.
()
, , , ,
.
: ,
,
.
.
() ,
.
.
()
().
3. :
()
,
, ,
.
62
()
.
()
.
() .
6.2
371 K
, , .
, ,
.
K
(B.. 25/5/1955). H
47 (6) N.
2071/92
,
.
63
6.3
(TE)
:
(authentication):
.
(Authorisation):
.
(confidentiality): .
(integrity): ,
.
(non-repudiation):
.
(revision / audit):
, .
(accountability):
, .
(transparency):
.
(availability):
.
64
7.1
:
1.
.
2.
.
3.
.
(,
), ( , )
( , ).
4.
.
5. ,
.
,
.
6.
,
, ,
.
7.2 -
,
.
,
.
.
65
. ,
, .
,
. ..
:
(interruption). ,
.
,
,
, .
(interception).
.
,
.
.
,
.
(modification).
, ,
.
.
.
(fabricate).
..
.
,
.
66
14. .
.
,
.
:
(
. , ,
, /, ,
- ).
( .
).
(
, ,
)
(
) .
67
(
,
). [14]
7.3
..
,
, ,
. :
() /. / ,
, :
.
,
(UPS,
Uninterrupted Power Supply) .
/
. ..
(..
) .
, .
,
. , ,
.
() . ..
,
/.,
/
.
68
() .
..,
.
7.4
,
.
,
.
,
.
.
.
:
,
, ,
,
.
,
.
.
.
69
.
.
/
.
7.5
,
.
.
(.. ),
.
,
.
, ,
- .
,
.
,
.
,
:
70
(, , )
. , ,
.
,
.
.
(.. ),
.
(, ,
, , , , ).
,
.
.
.
,
,
.
(rlogin, ftp, ) -
.
, -,
.
, ,
(RPC),
.
( getty-login Unix)
,
.
- (
)
71
.
.
,
. ,
,
.
,
.
,
.
, ,
.
(
), ( , ,
),
(monitoring) . ,
,
(, ).
.
. (boot)
EPROM (remote
boot).
(, ,
, , ),
.
, .
SNMP
, '' (terminal servers).
.
.
, . ,
72
.
, ,
. , ,
.
.
.
.
(, ),
(),
.
,
( ),
,
.
, ,
-
().
:
-
.
-
- .
.
,
.
73
,
.
.
,
.
.
, .
.
.
, .
, ,
, .
.
,
.
,
. ,
, , ,
, .
74
15.
.
:
() .
(,
, ),
.
() .
, .
() .
.
() . ,
.
'' ,
'' .
75
16. .
7.6
,
.
,
:
() ,
() /
,
()
() o
/
,
.
:
76
/
,
.
,
,
,
.
/
,
(, fax, email
).
/
(..
)
.
7.7
. ,
,
.
:
() ( , .. ,
)
77
() ,
, ..
() ,
, , ...
..
7.8
,
.
. ,
,
.
,
. ,
.
:
,
. ,
,
.
, :
,
.
78
,
,
. ,
,
.
.
() .
.
.
, ..
.
:
.
.
, .
.
, .
.
:
.
,
(.. PC),
.
.
. ,
, ,
.
,
. , ,
,
.
79
.
, .
() .
,
.
.
(tokens).
.
:
. /
.
,
.
, ,
.
,
.
.
:
,
. ,
,
.. .
.
.
, ,
.
, ( , ),
.
80
,
,
. ,
,
,
.
.
.
,
, , ,
.
. ,
.
.
. ,
,
.
.
.
,
. .
:
,
.
(ISO).
.
:
.
81
/ .
/.
.
:
.
:
() .
,
.
() . ,
, .. ,
.
,
.
,
. (
),
.
() .
.. .
, ,
,
.
.
.
82
, ,
.
,
,
(..
).
() , ..
, , ...
8.1
, ,
. (high-level statements)
.
,
.
:
(security policy):
, ..
83
(identification):
.
(marking):
.
(accountability):
.
(assurance):
,
.
(continuous protection): ..
.
, :
(Usability).
.
(Generality).
, .
(Effeciency).
, .
(Flexibility).
(Opacity).
.
(Security).
.
(Integrity).
.
(Capacity).
.
84
(Reliability). ,
.
(Serviceability).
.
(Extentability).
, .
(Availability).
.
8.2 Vidavo
,
.
:
(Personnel Security).
.
.
.
.
.
.
.
85
Vidavo
.
, ,
,
,
,
.
,
.
Vidavo, ,
.
Vidavo, .
,
,
.
,
.
1.
Vidavo
, ,
.
,
,
.
,
,
.
86
,
,
,
.
,
,
.
2.
Vidavo
,
.
3.
,
.
4.
,
, .
,
,
Vidavo ,
.
5.
Vidavo
,
87
,
.
6.
.
,
Vidavo.
.
, ,
, ,
.
.
.
7.
,
.
8.
, ,
, .
88
8.2
8.2.1
.
Computer Room
(safety).
,
.
.
, ,
.., ,
. ,
, .
(UPS),
89
8.2.2
8.2.2.1
,
servers
,
,
.
, .
, ,
. .
.
. (smart card) .
, ,
.
,
. O
, ,
.
, .
(smart card reader),
. ,
,
.
90
8.2.2.2
.
,
. .
:
- .
, )
(,
- .
(, , )
- .
.. , ,
, .
,
, .
:
- (Discretionary Access Control - DAC).
,
, (mandatory) .
,
.
,
.
,
.
,
.
91
,
[24].
- (Mandatory Access Control - MAC).
(discretionary)
,
. ,
,
. ,
,
: ,
.
. ,
,
.
-- (Role-Based Access Control).
,
,
.
(
- )
,
.
.
, ,
.
.
,
[24].
92
,
.
.,
.
17. .
8.2.3
,
,
,
/.
,
. ,
,
,
.
93
, .
,
.
:
() -.
.
,
.
() .
.
,
.
,
. ,
.
94
() .
.
. ,
( ,
..) ,
.
,
. ,
.
,
.
.
.
.
:
,
, ,
.
.
,
,
.
95
,
. ,
(audits) .
.
8.2.4
.
.
.
.
18. .
96
,
.
HTTPS SSL.
, .
,
Firewall, Web Access Systems, Mail Security Systems, Network IPS/IDS.
End Point Security System,
(Gateway Security)
.
:
Firewall
Antivirus
Antisyare
Antispam
URL Filtering
DMZ (De Military Zone)
Intrusion Detection / Prevention Systems
8.2.4.1
.
.
97
HTTPS (Secure HTTP)
Netscape Communications
Corporation sites
.
. HTTPS ,
HTTP
Secure Sockets Layer (SSL).
man-in-the-middle.
HTTPS (server),
.
(certificate
authority),
.
.
, HTTPS
.
.
,
HTTPS
, . HTTPS
.
.
.
SSL (Secure Sockets Layer)
SSL Netscape
.
3.0 Netscape 1996
TLS (Transport Layer
Security), SSL.
98
.
SSL
( )
.
TCP/IP
.
HTTP, FTP, telnet
.
SSL :
() server client.
() client server
()
.
SSL
.
:
.
.
bytes
.
SSL,
(
)
.
99
8.2.4.2 End point Security Systems
.
,
,
.
anti-virus, anti-spyware firewall.
malware.
, ''''
,
. hackers client
firewall anti-virus
agent.
, .
Synematic Endpoint Protection 11.
8.2.4.3 Firewall
firewall
. T firewalls Antivirus,
URL Filtering, Antispam .
UTM (Unified
Threat Management)
firewall software hardware,
.
.
. firewall
.
100
19. Firewall .
, firewall
:
(Remote login):
.
.
backdoors (Application backdoors):
.
e-mail (E-mail bombs): -
(mail server e-mail)
.
(Macros):
.
.
101
(Viruses): .
.
.
.
Spam: e-mail, ,
.
.
8.2.4.4 ntivirus
Antivirus
.
, , .
Antivirus :
1. Servers /Y
,
H/Y
2. (mail servers, proxy
servers .)
H/Y
3. Gateways
.
,
.
8.2.4.5 Antispyware
H/Y
. Spyware
(bandwidth) .
102
.
, Antispyware
(Gateway)
(proxy).
, / .
Spyware
sites, Antispyware
URL Filtering .
8.2.4.6 Antispam
To Antispam
emails, spam .
. ,
Antispam firewall.
Antispam
.
Antispam mails .
.
8.1.4.7 DMZ (De Militirized Zone)
DMZ DeMilitirised Zone hardware
firewall. hardware firewall (interfaces).
.
. firewall
, Internet
.
internet ,
site , .
103
20. DMZ
DMZ
. DMZ
.
21. DMZ .
104
8.1.4.8 IDS/IPS (Introdusion Detective/Prevention System)
IDS/IPS ,
worms, Trojans, spyware, keyloggers .
(zero day protection)
(signature & pattern
matching). ,
.
IDS
.
/
.
22. IDPS
105
H Firewall IPS
, IP
.
(.. Firewalls) / .
, ,
,
.
,
,
.
HID OSSEC (Host-based Introdusion Detective
System).
.
,
, ,
, .
(Disaster recovery plan and contingency plan)
,
.
(risk analysis review)
.
,
.
:
106
,
,
,
.
, .
, .
.
.
,
,
.
, .
.
, ,
.
, .
107
9.1
, ,
:
: ,
,
.
:
.
EHR.
-:
,
,
.
:
, ,
.
:
,
EHR.
:
,
.
:
:
.
.
108
9.2
, ,
(, , , .).
, ,
, .
,
, ,
, . ,
, , .
,
.
,
. ,
,
, ,
.
.
,
,
,
.
, ,
,
. , ,
.
,
.
,
.
.
109
,
,
().
,
:
cold sites shells.
.
, ,
,
hot sites. ,
,
. , ,
, , ,
. hot site,
,
, ,
.
10
.
,
.
(Enterprise risk management, ERM)
, ,
, .
,
, , .
,
110
.
.
:
1.
2.
3.
4. .
5.
6. /
7.
.
,
, ,
.
,
.
,
, .
,
ISO 27001
(Information Security Management
111
System, ISMS) .
, , . ISO
27001
.
ISO,
(ISO 9001, ISO 14001 .)
.
ISO 27001,
.
, .
ISO 27001
.
.
. :
,
112
Antivirus Backup,
Firewall Hardware Software.
, (Document Control)
, ..
(Disaster Recovery Policy)
- .
,
:
(Plan): ,
,
.
(Do):
(Check):
ISMS (
)
(Act): ,
.
ISM
,
,
,
, .
.
.
113
11 -
.
.
,
,
.
Internet
.
.
.
,
, .
.
.
,
, .
.
.. .
,
, .
.
,
, hardware ,
.
,
, CRAMM.
,
.
114
12
[1] ISO/IEC, 17799 Code of Practice for Information Security Management, Geneva,
Switzerland, 2000.
[2] ISO/IEC/JTC1, TR 13335 Information Technology - Security Techniques Guidelines for the management of IT Security (GMITS), Geneva, Switzerland,
1996.
[3] 2472/97,
, 10-4-97/ 50/ , 1997.
[4] 2474/1999,
.
[5] 3418/2005, .
[6] 1999/93/
13 1999
.
[7] 97/66/ 15
1997
.
[8] . R (99) 5
.
[9] Data Breach Investigation report 2011, Verizon.
[10]Andrew S. Tanenbaum, Computer Networks, 4th Edition, Pearson Education
Inc, 2003.
[11] ., & , ,
2007.
[12] .,
, 2007.
[13] , ,
2005.
[14] .,
, , 2007.
[15] ., .,
, 2002.
[16] ., &
, , 2005.
[17] , . , . , &
: , 2002.
[18] ,
, , 2002.
[19]. , " ", , , 2001
115
[20] . , .,
:
, 2003.
[21] ., ., , , 2001.
[22]. , "", , , 2002
[23]W. Stallings, "Network Security Essentials: Applications and Standards", 2nd
edition, Prentice Hall, USA, 2003
[24]K. Scasfone, P. Mell, "Guide to Intrusion Detection and Prevention Systems
(IDPS)", National Institute of Standards and Technology,2007
[25] Pfleeger, Security in Computing, Prentice-Hall Inc, 1997.
[26] Simson Garfinkel, Gene Spafford, Practical UNIX & Internet Security, 2nd
Edition, O' Reilly & Associates Inc, 1996.
[27]S. Powell, J.P. Shim, "Wireless Technology Application, Management and
Security", Springer, 2009
[28] G. Pangalos, 'Security in Medical Database Systems', EEC, SEISMED Project
Report, 1992.
[29]Siponen M., Policies for Construction of Information Systems Security
Guidelines, Kluwer Academic Publishers, 2000.
[30]Hossein Bidgoli, Handbook of Information Security, John Wiley & Sons,
California 2006.
[31]Rash, Michael et al, Intrusion Prevention and Active Response: Deployment
Network and Host IPS, Syngress, 2005.
[32]Joseph Boyce, Information Assurance: Managing Organizational It Security
Risks, , 2002.
[33] , www.dpa.gr ,
2012.
[34] Inventory of Risk Management /Risk Assessment methods and
tools, http://rm-inv.enisa.europa.eu, 2012.
[35] Information Security Policies and Standards,
http://www.information-security-policies-and-standards.com/, 2012.
[36] Risk World, http://www.riskworld.net/, 2012.
[37] Specialist services and solutions for IT governance,
risk
management,
compliance
and
information
security.
http://www.itgovernance.co.uk/, 2012.
116
-
A
Smart card reader
Confidentiality
Alternate site
Vulnerabilities
Information System Assets
Opacity
Integrity
Review
Risk Analysis
Countermeasures
Threats
Effeciency
Failures of equipment
Losses
Database security
--
Role-Based Access Control
High-level statements
Generality
ssurance
Procedures
Availability
Interruption
117
Security Management
Standards
ccountability
Document Controls
Audit
Access control
Confidentiality
Stakeholders
Awareness and enforcement
Servers
Extentability
Risk
Communications Infiltration
Review and audit
Enterprise risk management
Flexibility
Capacity
Usability
Disaster recovery facility
Viruses
Rules
Mandatory Access Control
Discretionary Access Control
118
Classification of data
Security culture
Logical infiltration
Macros
Security measures
Guidelines
Organisational policy
Security breach
Interception
Scope of Security Policy
Security incident
Certification
Fabrication
Disaster Recovery Policy
Security Policy
Standards
Gateway
Roles and responsibilities
arking
Critical functions and systems
Security policy objective
Protection Strategy
Compliance
119
Serviceability
Recovery Plan
Security Plan
dentification
Modification
Implementation and application
Security Officer
Responsibility
Physical security
120
You might also like
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4 out of 5 stars4/5 (5814)
- The Iliad: The Fitzgerald TranslationFrom EverandThe Iliad: The Fitzgerald TranslationRating: 4 out of 5 stars4/5 (5646)
- The Odyssey: (The Stephen Mitchell Translation)From EverandThe Odyssey: (The Stephen Mitchell Translation)Rating: 4 out of 5 stars4/5 (7771)
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4.5 out of 5 stars4.5/5 (20102)
- Pride and Prejudice: Bestsellers and famous BooksFrom EverandPride and Prejudice: Bestsellers and famous BooksRating: 4.5 out of 5 stars4.5/5 (20479)
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On ItRating: 4.5 out of 5 stars4.5/5 (3312)
- Wuthering Heights Complete Text with ExtrasFrom EverandWuthering Heights Complete Text with ExtrasRating: 4 out of 5 stars4/5 (9955)
- The Picture of Dorian Gray (The Original 1890 Uncensored Edition + The Expanded and Revised 1891 Edition)From EverandThe Picture of Dorian Gray (The Original 1890 Uncensored Edition + The Expanded and Revised 1891 Edition)Rating: 4 out of 5 stars4/5 (9054)
- Art of War: The Definitive Interpretation of Sun Tzu's Classic Book of StrategyFrom EverandArt of War: The Definitive Interpretation of Sun Tzu's Classic Book of StrategyRating: 4 out of 5 stars4/5 (3321)
- Anna Karenina: Bestsellers and famous BooksFrom EverandAnna Karenina: Bestsellers and famous BooksRating: 4 out of 5 stars4/5 (7503)
- The 7 Habits of Highly Effective People: The Infographics EditionFrom EverandThe 7 Habits of Highly Effective People: The Infographics EditionRating: 4 out of 5 stars4/5 (2487)
- Wuthering Heights (Seasons Edition -- Winter)From EverandWuthering Heights (Seasons Edition -- Winter)Rating: 4 out of 5 stars4/5 (9975)
- Habit 6 Synergize: The Habit of Creative CooperationFrom EverandHabit 6 Synergize: The Habit of Creative CooperationRating: 4 out of 5 stars4/5 (2499)
- Habit 1 Be Proactive: The Habit of ChoiceFrom EverandHabit 1 Be Proactive: The Habit of ChoiceRating: 4 out of 5 stars4/5 (2559)
- How To Win Friends And Influence PeopleFrom EverandHow To Win Friends And Influence PeopleRating: 4.5 out of 5 stars4.5/5 (6698)
- American Gods: The Tenth Anniversary EditionFrom EverandAmerican Gods: The Tenth Anniversary EditionRating: 4 out of 5 stars4/5 (12956)
- Habit 3 Put First Things First: The Habit of Integrity and ExecutionFrom EverandHabit 3 Put First Things First: The Habit of Integrity and ExecutionRating: 4 out of 5 stars4/5 (2507)
- The 7 Habits of Highly Effective PeopleFrom EverandThe 7 Habits of Highly Effective PeopleRating: 4 out of 5 stars4/5 (2571)
- The Iliad: A New Translation by Caroline AlexanderFrom EverandThe Iliad: A New Translation by Caroline AlexanderRating: 4 out of 5 stars4/5 (5734)
- The Picture of Dorian Gray: Classic Tales EditionFrom EverandThe Picture of Dorian Gray: Classic Tales EditionRating: 4 out of 5 stars4/5 (9765)
