bab 7 (assuring reliable and secure it services)
Post on 15-Aug-2015
12 Views
Preview:
TRANSCRIPT
� The emergence of web-based commerce has
accelerated the expansion of a worldwide
network capable of transmitting information
reliably and securely across vast distances.
� Unfortunately, some components of a firm’s
infrastructure are not inherently reliable. The
reliability of processing systems depends on how
they are designed and managed.
� Businesses need policies that determine how to
integrate redundant elements into a company’s
overall infrastructure: how backup systems and
equipment will be brough online, how problems
will be diagnosed and triaged, and who will be
responsible for responding to incidents.
� Making the wrong decision in designing or
maintaining infrastructure or in responding to
incidents can severely harm a business.
� In modern context, a 98 percent availability rating
for a system usually means that its probability of
being up and running at any given time is 98
percent – period.
� Moreover, for real-time infrastructure, 98 percent
is not nearly good enough.
� In fact, the availability of today’s IT infrastructure
is often expressed in terms of a number of ‘nines’
(99.999) percent.
1. Uninterruptible electric power delivery
2. Physical security
3. Climate control and fire suppression
4. Network connectivity
5. Help desk and incident response procedures
6. N+1 and N+N redundancy
� Classification of threats
1. External atttacks
2. Intrusion
3. Viruses and Worms
� Defensive measures
1. Security Policies
2. Firewalls
3. Authentication
4. Encryption
5. Intrusion detection and network monitoring
1. Make deliberate security decision
2. Consider security a moving target
3. Practice disciplined change management
4. Educate users
5. Deploy multilevel technical measures, as many
as you can afford
� Managing incidents before they accur
1. Sound infrastructure design
2. Disciplined execution of operating procedures
3. Careful documentation
4. Established crisis management procedures
5. Rehearsing incident response
� Managing during an incident
1. Emotional responses, including confusion, denial,
fear and panic
2. Wishful thinking and groupthink
3. Political maneuvering, diving for cover and ducking
responsibility
4. Leaping ti conclusions and blindness to evidence that
contradicts current beliefs
� Managing after an incident
1. Rebuild parts of the infrastructure
2. Sometimes erasing and rebuilding everything from
scratch is the only way to be sure the infrastructure is
restored to its preincident state
3. It is essential to communicate the seriousness with
which a company protects the information entrusted
to it
1. How available do our systems need to be? Are our
infrastructure investments in availability aligned with
requirements?
2. Are we taking security threats seriously enough? How
secure is our current infrastructure? How do we assess
information security on an ongoing basis? Have IT staff
members received adequate training? How do we
compare with information security best-in-class
organizations?
3. Do we have plans for responding to infrastructure
incidents? Do we practice them on a regular basis? Are
staff members trained in incident response? What are
our plans and policies for communicating information
about incidents to external parties such as customers,
partners, the press and the public?
top related