ICT

8 2550

ICT 1

........................................................................................................................................................... 3
1. ...........................................................................................................................3
2. ..........................................................................................................................3
3. ............................................................................................ 4
/ ...................................................................................... 5
1. .......................................................................................................5
2. .................................................................................................................5
3. (ICT Security Policy) ..............................7
4. ............................................................................................................. 7
5. (SSP -System Security Plan) ..................12
6.
(Security Standard Operating Procedures -SOPs) ........................................................................13
7. ....................................................17
8. ....17
9. ..................................................................................................20
............................................................................................................................................. 21

ICT 2


1.
(.. 2549 2551)



ISO/IEC 27001







2.
1) ISMS

2) ISMS

ICT 3

3.

(Confidentiality) (Integrity) (Availability)

(IT)
3

(Confidentiality)

(Integrity)

(Availability)

(Authentication)

(Authorization)

(Data backup)

(Data protection)

(Data security)

(Risk assessment or analysis)

(Security policy)

ICT 4

/


1.


1)
2)


3)
4) /
5)
6)
2.


1)
2) /
3) /

ICT 5

ICT security

/

Web server hosting Public website
(Security-In-Confident)
(Secret) (Restrict)

(Unclassified)

ICT 6

3. (ICT Security Policy)

ICT Security

1)
2)
3)
4)
5)
6)
7)
8)
4.



1 (Stage 1: Establishing the Context)
2 (Stage 2: Identifying the Risks)
3 (Stage 3: Analysing the Risks)
4 (Stage 4: Assessing and Prioritising Risks)
5 (Stage 5: Developing a Risk Treatment Plan)

ICT 7

1 ,

2
, ,
-, ,

3
,
, ,
,

4
,
/ , costsbenefits
5
, ,
/

2
1

ICT 8

1
2
3

(Matrix)

, ,

, (Major)
,

,
,

(moderate)

ICT 9

, (minor)
,

, ,
,

E
Extreme
H
M
L

High

Moderate
Low

10

ICT

 (Matrix)

Almost certain
Likely
Possible
Unlikely
Rare

Major Moderate Minor Insignificant

E
E
E
H
H
E
E
H
H
M
E
E
H
M
L
E
H
M
L
L
H
H
M
L
L

1
()
2 1

3 1

11

ICT

 5
(Risk Treatment Plan)
/

1
2

3 Cost/benefit
4
5 4
6

5. (SSP -System Security Plan)
ICT Security

-

1)
2)
3)

12

ICT

4)
5)
6)
7)

()
( /)

6.
(Security Standard Operating Procedures -SOPs)

/ (ITSA)
System Manager
System Administrator

SOPs

(SOPs)

13

ICT

1) / (ITSA)
ITSAs SOPs

Audit logs
System integrity audit

system audit trail & manual logs

user accounts, system parameters, & access controls

System software
access controls

14

ICT

2) System Manager SOPs

System Managers SOPs

System maintenance

Configuration control
Access control
System backup and recovery

software vulnerabilities
software patched/updates
hardening techniques
anti-virus software

system software configuration

(recovering from system failures)

3) System Administrator SOPs

System Administrators SOPs

System closedown

System backup and recovery

, , Cleaning up
directories & files
audit logs, backup
tapes, recovering from system failures

15

ICT

4) System Users SOPs

System Users SOPs

Security incidents
Classification

(Temporary absence)

Media control
Hardcopy
Visitors

Classified material

(hardcopy)

hardware & software maintenance

system media & system output

16

ICT


malicious code

unauthorized software, firmware, hardware



7.


(
)
8.

Confidentiality,
Integrity, Availability Authentication Access control
ICT Security




1)

17

ICT


ICT Security

2) (Change management process)

System hardware
System or application software

system access controls
3) Security Incidents
Security incident Confidentiality, Integrity
Availability unauthorized access, disclosure, modification,
misuse, damage, loss destruction


Countermeasures against malicious code
Intrusion detection strategies
Audit analysis
System integrity checking
Vulnerability assessments

software tools

Network and Host Intrusion Detection

Systems, System Integrity Verification, Log Analysis, Intrusion Repulsion

18

ICT

4) Security Incidents

Software malfunctions

/
/

5)
Security incidents

6) (Incident Response Plan)

Incident Response Plan



compromise

19

ICT


9.

Security

(Best practice)

20

ICT

1. ACSI 33, Australian Government, Information and Communications Technology Security

Manual, 31 March 2006
2. Information Security Guideline for NSW Government, June 2003
3. NIST SP800-53 Recommended Security Controls for Federal Information Systems
4. NIST SP800-53A, Guide for Assessing the Security Controls in Federal Information Systems
5. FIPS-199 Standards for Security Categorization of Federal Information and Information Systems
6. FIPS-200 Minimum Security Requirements for Federal Information and Information Systems
7. ISO/IEC 27001 ISMS33

21

ICT