Identificarea amenintarilor si vulnerabilitati in tehologia informationala

Amenintare - intenia de distruge tehnologia informationala Vulnerabilitate proprietatea de a fi usor atacat Tehnologia informationala tehnologia care asigura utilizarea datelor (hardware si software)

1. Hardware totalitatea componentelor (fizic) unui sistem informatic 2. Software - totalitatea componentelor (logic) unui sistem informatic 1. amenintari - intentionate personalul de paza ar trebui inlocuit cu camere de filmat si sistem de alarma pentru a evita erorile umane . - neintentionate sunt amenintarile care se produc neintentionat ,cum ar fi intreruperea energiei electrice ,inundatii ,incendii ,cutremure,fulgerele,caderile de tensiune ,praful,umezeala ,temperature variabila . vulnerabilitate natural sau uman, tehnic : furtul ,deterioarea . 2. amenintari -intentionate infectarea cu un virus informatic ,furtul sau copierea programului pentru a fi folosit in aplicatii concurente ,alocarea necorepunzatoare de drepturi de access in retea ,accesarea unor situri virusate ,furt de informatii care pot fi utilizate in interesul concurentei . Pentru a evita aceste accidente fiecare calculator trebuie parolat ( user + parola) pentru a se vedea exact din server ( in fuctie de IP calculatorului siturile accesate . - neintentionate stergerea neintentionata a unor programe . -virusi (ex) www.microsoft.com antivirus (update de aplicatie si baza de date) hackeri utilizatori firewall criptari update de aplicatii update de sistem de operare

vulnerabilitati - instalarea unei aplicatii netestate

- neconcordanta intre culegerea datelor si aplicatie (sistem informational si sistem informatic) - inlaturarea breselor lasate de programator

Standardul bunei practice

Aspect Focus Target audience Issues probed Scope and coverage Security management arrangements within: A group of companies (or equivalent) Part of a group (e.g. subsidiary company or a business unit) An individual organization (e.g. a company or a government department) Critical A business Business application Applications that is critical to the success of the enterprise. The target audience of the The security Critical business applications CB aspect will typically requirements of of any: include: the application and the Type (including arrangements Owners of made for transaction processing, business applications identifying risks process control, funds and keeping them within Individuals in transfer, customer service, acceptable charge of business levels. and workstation processes that are applications) dependent on applications Systems integrators Technical staff, such as members of an application support team. Size (e.g. applications supporting thousands of users or just a few)

Security Management (enterprisewide)

The Security The target audience of the commitment provided by top management SM aspect will typically management to at enterpise include: promoting good level. information Heads of security information security practices across the functions enterprise, along with the Information allocation of security managers (or appropriate resources. equivalent) IT auditors

Computer A computer Installations installation that supports one or more business applications.

The target audience of the How Computer installations: CI aspect will typically requirements include: for computer Of all sizes (including services are identified; and the largest mainframe, Owners of how the server-based systems, computer installations computers are set up and run and groups of in order to meet Individuals in those workstations) charge of running requirements. data centers Running in IT managers specialized environments Third parties that (e.g. a purpose-built data operate computer center), or in ordinary installations for the working environments organization (e.g. offices, factories, and IT auditors warehouses)

Networks

A network The target audience of the How Any type of communications that supports NW aspect will typically requirements network, including: one or more include: for network business services are Wide area networks applications identified; and Heads of how the (WANs) or local area networks are specialist network networks (LANs) set up and run functions in order to meet Large scale (e.g. those Network requirements. enterprise-wide) or small managers scale (e.g. an individual Third parties that department or business provide network unit) services (e.g. Internet Those based on service providers) Internet technology such IT auditors as intranets or extranets Voice, data, or integrated

Systems A systems The target audience of the How business Development development SD aspect will typically requirements unit or include (including department, information or a particular security Heads of systems requirements) systems development are identified; development project. and how functions systems are designed and System built to meet

Development activity of all types, including: Projects of all sizes (ranging from many worker-years to a few woker-days) Those conducted by

developers IT auditors

those requirements.

any type of developer (e.g. specialist units or departments, outsourcers, or business users) Those based on tailormade software or application packages

End User An The target audience of the The End-user environments: Environment environment UE aspect will typically arrangements (e.g. a include: for user Of any type (e.g. business unit education and or awareness; use corporate department, Business department) of corporate general business unity, in which business managers individuals applications factory floor, or call use corporate Individuals in the and critical business workstation center) end-user environment applications; applications Of any size (e.g. or critical Local information- and the workstation protection of several individuals to security coordinators information applications groups of hundreds or to support associated with business mobile thousands) Informationprocesses. computing. security managers (or That include equivalent) individuals with varying degrees of IT skills and awareness of information security.

Aspect

Focus

Target audience Manager IT

Issues probed

Scope and coverage Este vorba despre o companie independenta in care sarcinile sunt impartite in mod clar intre angajati cu constientizarea responsabilitatilor specifice. Managementul securitatii implica evaluarea riscurilor, stabilirea prioritatii accesului la baza de date, protejarea

Security Management (enterprisewide)

Mnagementul securitatii la nivelul entitatii analizate

Managerul IT aduce la cunostinta Administrator retea personalului angajat responsabilitatile legate de Auditor IT intern asigurarea (serviciu externalizat) confidentialitatii si securitatii datelor procesate si a Tehnician IT, in informatiilor obtinute in urma cadrul prelucrarii departamentului IT acestora. De asemeni,

conducerea asigura pregatirea impotriva amenintarilor continua a intentionate sau angajatilor cu neintentionate, si minimizarea privire la exploatarea vulnerabilitatilor la care este eficienta si supus sistemul. corecta a programelor utilizate. Critical Foarte Business important Applications pentru business-ul desfasurat este produsul software de contabilitate utilizat Accesul la soft-ul Apliactia utilizata permite Programul informatic de contabilitate se lucrul in retea. Datele transferate sunt cuplate logic, WinMENTOR a fost face de catre persoanele care dupa cuplare avand aceleasi achizitionat legal, cu detin cheia hard proprietati ca si cele introduse care permite pe calculatorul central. Este o licenta in urma utilizatrea deplina retea cu un server si 9 incheierii unui a programului. calculatoare conectate intre Fiecare calculator ele cu ajutorul unui swich. contract intre doua are o parola persoane juridice. distincta inclusiv serverul. Firma care a furnizat Este instalat un programul asigura si program firewall de monitorizare a servicii de accesului la baza consultanta in ceea de date. Deoarece este ce priveste posibila exploatarea acestuia. conectarea la internet, este Ultimele modificari instalat un antivirus cu ale programului licenta iar mailul este criptat. concomitent cu modificarile legislative se pot descarca de pe siteul oficial al firmei. Computer Reteaua de Installations computere asigura suportul tehnic pentru desfasurarea activitatii Tehnicianul IT, Utilizatorii administratorul de programelor retea, specialisti de la sesizeaza firma care a furnizat probleme aparute soft-ul de in timpul contabilitate asigura exploatarii buna functionare a programelor si le computerelor astfel comunica incat firma sa poata departamentului duce la indeplinire IT. Managerul sarcinile de business. acestui departament deleaga responsabilitatile catre persoana spacializata in problema depistata. Revizii Computerele functioneaza in birouri in care le este asigurata temperatura optima si sunt aparate de eventiuale amenintari de ordin fizic. De asemeni se asigura paza sediului 24 ore din 24.

periodice sunt efectuate de catre administratorul de retea si tehnicianul IT. In cazul unor probleme mai complexe se apeleaza la serviciile unei firme specializate. Networks Reteaua este Responsabilitatea conceputa pentru a privind intretinerea suporta nivelul retelei revine de trafic administratorului de retea asistat de tehnicianul IT si de eventuali specialisti externi Administratorul de Este o retea la scara mica de retea identifica poblemele retelei tip LAN si intocmeste un raport pe care-l comunica managerului IT sugerandu-i acestuia solutii posibile de rezolvare. Auditorul intern are de asemeni un rol important in elaborarea unor solutii si sugestii legate de functionalitatea si securitatea retelei. ---------------------Pentru viitorul apropiat singura solutie in cazul aparitiei unor necesitati de acest fel ar fi externalizarea activitatii de dezvoltare de sisteme

Systems Nu exista la Mangerul de Development momentul actual un business departament de dezvoltare a sistemelor. Pe Managerul IT viitor, odata cu dezvoltarea Auditorul IT afacerii se va simti nevoia aparitiei unui Manager de astfel de grup de lucru. securitate End User Aplicatii de Environment sustinere a proceselor specifice businessului

Traininguri si Manager de business sesiuni de Manager IT informare pentru angajati din partea conducerii si asistenta din partea furnizorilor de programme informatice in ceea ce priveste modificarile si schimbarile aparute in programe.

Indivizi cu cunostinte de IT si de securitate a informatiei capabili sa inspire angajatilor responsabilitatile aferente postului si constientizarea urmarilor actiunilor intreprinse de acestia asupra aplicatiei utilizate si a business-ului in sine. Astfel de indivizi provin

Aducerea la cunostinta angajatilor a responsabilitatilor legate de confidentialitatea informaiilor procesate si a datelor manipulate.

de cele mai multe ori din interiorul companiei dar pot veni si din afara atunci cand este nevoie de astfel de specialisti

1. http://www.smartofficenews.com.au/Business/Technology/W2M2N6L8 2.http://www.informationweek.com/blog/main/archives/2005/11/outsourcing_it. html 3. www.isaca.org 4. http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipse c/ipsecapd.mspx 5. http://oneconsult.com/dienstleistungen/it-bedrohungs-und-risikoanalyseen.html