Identificarea amenintarilor si vulnerabilitati in tehologia informationala

Amenintare - intenia de distruge tehnologia informationala

Vulnerabilitate proprietatea de a fi usor atacat
Tehnologia informationala tehnologia care asigura utilizarea datelor (hardware si software)
1. ardware totalitatea componentelor (fizic) unui sistem informatic
!. "oftware - totalitatea componentelor (logic) unui sistem informatic
1. amenintari - intentionate personalul de paza ar trebui inlocuit cu
camere de filmat si sistem de alarma pentru a e#ita erorile umane .
- neintentionate sunt amenintarile care se produc neintentionat $cum ar fi
intreruperea energiei electrice $inundatii $incendii
$cutremure$fulgerele$caderile de tensiune $praful$umezeala $temperature
#ariabila .
#ulnerabilitate natural sau uman$ tehnic % furtul $deterioarea .
!. amenintari
-intentionate infectarea cu un #irus informatic $furtul sau copierea
programului pentru a fi folosit in aplicatii concurente $alocarea
necorepunzatoare de drepturi de access in retea $accesarea unor situri
#irusate $furt de informatii care pot fi utilizate in interesul concurentei .
&entru a e#ita aceste accidente fiecare calculator trebuie parolat ( user '
parola) pentru a se #edea e(act din ser#er ( in fuctie de )& calculatorului
siturile accesate .
- neintentionate stergerea neintentionata a unor programe .
-#irusi (e() www.microsoft.com
anti#irus (update de aplicatie si baza de date)
- hac*eri
- utilizatori
- firewall
- criptari
- update de aplicatii
- update de sistem de operare
#ulnerabilitati
- instalarea unei aplicatii netestate
- neconcordanta intre culegerea datelor si aplicatie (sistem informational
si sistem informatic)
- inlaturarea breselor lasate de programator
- "tandardul bunei practice
Aspect Focus Target audience Issues probed Scope and coverage
Security
Management
(enterprise-
wide)
Security
management
at enterpise
level.
The target audience of the
SM aspect will typically
include:
Heads of
information security
functions
Information
security managers (or
equivalent)
IT auditors
The
commitment
provided y top
management to
promoting good
information
security
practices
across the
enterprise!
along with the
allocation of
appropriate
resources.
Security management
arrangements within:
" group of companies
(or equivalent)
#art of a group (e.g.
susidiary company or a
usiness unit)
"n individual
organi$ation (e.g. a
company or a government
department)
Critical
Business
Applications
" usiness
application
that is critical
to the
success of
the
enterprise.
The target audience of the
%& aspect will typically
include:
'wners of
usiness applications
Individuals in
charge of usiness
processes that are
dependent on
applications
Systems
integrators
Technical staff!
such as memers of
an application support
team.
The security
requirements of
the application
and the
arrangements
made for
identifying ris(s
and (eeping
them within
acceptale
levels.
%ritical usiness applications
of any:
Type (including
transaction processing!
process control! funds
transfer! customer service!
and wor(station
applications)
Si$e (e.g. applications
supporting thousands of
users or )ust a few)
Computer
Installations
" computer
installation
that supports
one or more
usiness
applications.
The target audience of the
%I aspect will typically
include:
'wners of
computer installations
Individuals in
charge of running
data centers
IT managers
Third parties that
operate computer
installations for the
organi$ation
IT auditors
How
requirements
for computer
services are
identified* and
how the
computers are
set up and run
in order to meet
those
requirements.
%omputer installations:
'f all si$es (including
the largest mainframe!
server+ased systems!
and groups of
wor(stations)
,unning in
speciali$ed environments
(e.g. a purpose+uilt data
center)! or in ordinary
wor(ing environments
(e.g. offices! factories! and
warehouses)
etwor!s " networ(
that supports
one or more
usiness
applications
The target audience of the
-. aspect will typically
include:
Heads of
specialist networ(
functions
-etwor(
managers
Third parties that
provide networ(
services (e.g. Internet
service providers)
IT auditors
How
requirements
for networ(
services are
identified* and
how the
networ(s are
set up and run
in order to meet
those
requirements.
"ny type of communications
networ(! including:
.ide area networ(s
(."-s) or local area
networ(s (/"-s)
/arge scale (e.g.
enterprise+wide) or small
scale (e.g. an individual
department or usiness
unit)
Those ased on
Internet technology such
as intranets or e0tranets
1oice! data! or
integrated
Systems
"evelopment
" systems
development
unit or
department!
or a particular
systems
development
pro)ect.
The target audience of the
S2 aspect will typically
include
Heads of systems
development
functions
System
How usiness
requirements
(including
information
security
requirements)
are identified*
and how
systems are
designed and
uilt to meet
2evelopment activity of all
types! including:
#ro)ects of all si$es
(ranging from many
wor(er+years to a few
wo(er+days)
Those conducted y
developers
IT auditors
those
requirements.
any type of developer
(e.g. specialist units or
departments! outsourcers!
or usiness users)
Those ased on tailor+
made software or
application pac(ages
#nd $ser
#nvironment
"n
environment
(e.g. a
usiness unit
or
department)
in which
individuals
use corporate
usiness
applications
or critical
wor(station
applications
to support
usiness
processes.
The target audience of the
34 aspect will typically
include:
&usiness
managers
Individuals in the
end+user environment
/ocal information+
security coordinators
Information+
security managers (or
equivalent)
The
arrangements
for user
education and
awareness* use
of corporate
usiness
applications
and critical
wor(station
applications*
and the
protection of
information
associated with
moile
computing.
4nd+user environments:
'f any type (e.g.
corporate department!
general usiness unity!
factory floor! or call
center)
'f any si$e (e.g.
several individuals to
groups of hundreds or
thousands)
That include
individuals with varying
degrees of IT s(ills and
awareness of information
security.
Aspect Focus Target audience Issues probed Scope and coverage
Security
Management
(enterprise-
wide)
Mnagementul
securitatii la
nivelul entitatii
anali$ate
Manager IT
"dministrator retea
"uditor IT intern
(serviciu e0ternali$at)
Tehnician IT! in
cadrul
departamentului IT
Managerul IT
aduce la
cunostinta
personalului
anga)at
responsailitatile
legate de
asigurarea
confidentialitatii si
securitatii datelor
procesate si a
informatiilor
otinute in urma
prelucrarii
acestora. 2e
asemeni!
4ste vora despre o
companie independenta in
care sarcinile sunt impartite in
mod clar intre anga)ati cu
constienti$area
responsailitatilor specifice.
Managementul securitatii
implica evaluarea riscurilor!
stailirea prioritatii accesului
la a$a de date! prote)area
conducerea
asigura pregatirea
continua a
anga)atilor cu
privire la
e0ploatarea
eficienta si
corecta a
programelor
utili$ate.
impotriva amenintarilor
intentionate sau
neintentionate! si minimi$area
vulnerailitatilor la care este
supus sistemul.
Critical
Business
Applications
5oarte
important
pentru
usiness+ul
desfasurat este
produsul
software de
contailitate
utili$at
#rogramul informatic
.inM4-T', a fost
achi$itionat legal! cu
licenta in urma
incheierii unui
contract intre doua
persoane )uridice.
5irma care a furni$at
programul asigura si
servicii de
consultanta in ceea
ce priveste
e0ploatarea acestuia.
3ltimele modificari
ale programului
concomitent cu
modificarile
legislative se pot
descarca de pe site+
ul oficial al firmei.
"ccesul la soft+ul
de contailitate se
face de catre
persoanele care
detin cheia hard
care permite
utili$atrea deplina
a programului.
5iecare calculator
are o parola
distincta inclusiv
serverul.
4ste instalat un
program firewall
de monitori$are a
accesului la a$a
de date.
2eoarece este
posiila
conectarea la
internet! este
instalat un
antivirus cu
licenta iar mailul
este criptat.
"pliactia utili$ata permite
lucrul in retea. 2atele
transferate sunt cuplate logic!
dupa cuplare avand aceleasi
proprietati ca si cele introduse
pe calculatorul central. 4ste o
retea cu un server si 6
calculatoare conectate intre
ele cu a)utorul unui swich.

Computer
Installations
,eteaua de
computere
asigura
suportul tehnic
pentru
desfasurarea
activitatii
Tehnicianul IT!
administratorul de
retea! specialisti de la
firma care a furni$at
soft+ul de
contailitate asigura
una functionare a
computerelor astfel
incat firma sa poata
duce la indeplinire
sarcinile de usiness.

3tili$atorii
programelor
sesi$ea$a
proleme aparute
in timpul
e0ploatarii
programelor si le
comunica
departamentului
IT. Managerul
acestui
departament
deleaga
responsailitatile
catre persoana
spaciali$ata in
prolema
depistata. ,evi$ii
%omputerele functionea$a in
irouri in care le este
asigurata temperatura optima
si sunt aparate de eventiuale
amenintari de ordin fi$ic. 2e
asemeni se asigura pa$a
sediului 78 ore din 78.
periodice sunt
efectuate de catre
administratorul de
retea si
tehnicianul IT. In
ca$ul unor
proleme mai
comple0e se
apelea$a la
serviciile unei
firme speciali$ate.
etwor!s ,eteaua este
conceputa
pentru a
suporta nivelul
de trafic
,esponsailitatea
privind intretinerea
retelei revine
administratorului de
retea asistat de
tehnicianul IT si de
eventuali specialisti
e0terni
"dministratorul de
retea identifica
polemele retelei
si intocmeste un
raport pe care+l
comunica
managerului IT
sugerandu+i
acestuia solutii
posiile de
re$olvare.
"uditorul intern
are de asemeni
un rol important in
elaorarea unor
solutii si sugestii
legate de
functionalitatea si
securitatea
retelei.
4ste o retea la scara mica de
tip /"-

Systems
"evelopment
-u e0ista la
momentul
actual un
departament de
de$voltare a
sistemelor. #e
viitor! odata cu
de$voltarea
afacerii se va
simti nevoia
aparitiei unui
astfel de grup
de lucru.
Mangerul de
usiness
Managerul IT
"uditorul IT
Manager de
securitate
++++++++++++++++++++++
#entru viitorul apropiat
singura solutie in ca$ul
aparitiei unor necesitati de
acest fel ar fi e0ternali$area
activitatii de de$voltare de
sisteme
#nd $ser
#nvironment
"plicatii de
sustinere a
proceselor
specifice
usinessului
Manager de usiness
Manager IT
Traininguri si
sesiuni de
informare pentru
anga)ati din
partea conducerii
si asistenta din
partea furni$orilor
de programme
informatice in
ceea ce priveste
modificarile si
schimarile
aparute in
programe.
Indivi$i cu cunostinte de IT si
de securitate a informatiei
capaili sa inspire anga)atilor
responsailitatile aferente
postului si constienti$area
urmarilor actiunilor intreprinse
de acestia asupra aplicatiei
utili$ate si a usiness+ului in
sine. "stfel de indivi$i provin
"ducerea la
cunostinta
anga)atilor a
responsailitatilor
legate de
confidentialitatea
informaiilor
procesate si a
datelor
manipulate.
de cele mai multe ori din
interiorul companiei dar pot
veni si din afara atunci cand
este nevoie de astfel de
specialisti

1. http%++www.smartofficenews.com.au+,usiness+Technolog-+.!/!0123
!.http%++www.informationwee*.com+blog+main+archi#es+!445+11+outsourcing6it.
html
7. www.isaca.org
8.
http%++www.microsoft.com+technet+securit-+guidance+architectureanddesign+ipse
c+ipsecapd.msp(
5. http%++oneconsult.com+dienstleistungen+it-bedrohungs-und-risi*oanal-se-
en.html