Open rainit2006 opened 4 years ago
Real Evidence: Tangible and Physical objects, in IT Security: Hard Disks, USB Drives – NOT the data on them.
Direct Evidence: Testimony from a first hand witness, what they experienced with their 5 senses.
Circumstantial Evidence: Evidence to support circumstances for a point or other evidence.
Collaborative Evidence: Supports facts or elements of the case, not a fact on its own, but support other facts.
Hearsay: Not first and knowledge – normally inadmissible in a case. Computer generated records and with that Log Files were considered hearsay, but case law and updates to the Federal Rule of Evidence have changed that. Rule 803 provides for the admissibility of a record or report that was “made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation.”
Best Evidence Rule The courts prefer the best evidence possible. Evidence should be accurate, complete, relevant, authentic, and convincing.
Secondary Evidence – This is common in cases involving IT. Logs and documents from the systems are considered secondary evidence.
Evidence Integrity – It is vital that the evidence’s integrity cannot be questioned. We do this with hashes. Any forensics is done on copies and never the originals. We check hash on both original and copy before and after the forensics.
Chain of Custody – This is done to prove the integrity of the data; that no tampering was done. Who handled it? When did they handle it? What did they do with it? Where did they handle it?
When the computer output is done during regular business hours
分類 | 説明 | 例 | |
---|---|---|---|
1 | Controls (管理・統制) | 情報セキュリティ管理・実施方針 | ISO 17799/27002, NIST 800-53 |
2 | Control Objectives (管理・統制方針) | 管理・統制目標 | COBIT, ITIL/ISO 20000, CMM |
3 | Governance Framework (ガバナンスフレームワーク) | ガバナンス(訳すなら統治)全体のフレームワーク | COSO, OCEG |
4 | Regulations (規制) | 業種ごとの法規制・ガイドラインなど | SOX, HIPAA, GLBA, FISMA, PCI-DSS |
業種 | 法規制・ガイドライン | 補足 |
---|---|---|
政府・公共 | FISMA (連邦情報セキュリティマネジメント法) | IPA - 情報セキュリティ向上のための米国の取り組み |
金融 | GLBA (Gramm-Leach-Bliley Act)、US SEC Compliance (US証券取引所) | |
ヘルスケア・医療 | HIPAA (医療保険の携行性と責任に関する法律)、HITECH法 – 個人情報対策 | |
エネルギー・社会インフラ | NERC/CIP (北米電力信頼性評議 / 重要インフラ保護サイバーセキュリティ基準) | |
クレジットカード関連・流通 | PCI DSS (PCI データセキュリティスタンダード) |
ISO31000は組織体のどのレベル・規模であっても適用可能な「リスクマネジメントの考え方」を示していると言えます。ISO31000はあくまでもリスクマネジメントに関するガイドラインであり、認証を目的としたものではありません。 https://www.newton-consulting.co.jp/bcmnavi/guideline/iso31000_2009.html
すべて金融機関は消費者に対して、個人情報(プライバシー)に関する方針や慣例を伝えなければならないというアメリカの法律のことです。 The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information.
Intentional violations can result in criminal penalties.
tips GLBA = protecting consumers' money from bad banks SOX = protecting investors' money from bad corporations
連邦政府機関、および連邦政府機関の民間委託先に適用される法律で、情報や情報システムのセキュリティ強化が義務付けられています。 FISMA specifically applies to government contractors。
営業秘密を保持している者に対し、知的財産の保護を求める法律です。 米国企業から営業秘密を不正に外部に漏えい等させた場合、本法に基づき罰金や懲役刑が課されます。
連邦法上の犯罪に対する量刑裁量の基準を明確化・公平化するために作成されたガイドラインです。 1991年、情報セキュリティ関連の問題に対する”prudent man rule”が本ガイドラインに適用されました。 1991年,针对白领犯罪,规定了senior manager的责任,提倡实现security policies和security programs,due care
Protection of electronic communications against warrantless wiretapping。
The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.
COPPA(Children's Online Privacy Protection Act)とは、2000年4月21日から米国で施行された、子供向けサイトに規制を課すことで子供のインターネット上の安全を守ろうとする法律です。 COPPAでは、商用サイトが、12歳以下(under the age of 13)の子供の個人情報を収集する場合に、次のようなこと(詳細略)を義務づけています。 COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.
、年金の運用など、他人のために資金の運用を行う受託者に課せられる義務で、「受託者は、専門知識を持った思慮深い投資家であれば、当然そうするように経済状況やリスクなどさまざまな要因を考慮して、思慮深く運用を行わなければならない」というものです。
「事実上の標準」を指す.
COBITは、ISACA(以前の情報システム監査管理統制)とITガバナンス研究所(ITGI)によって策定されたフレームワーク。 本質的には、COBITは「達成すべきこと」に対応し、ITILは「達成する方法」のフレームワーク。
COBIT specifies 17 enterprise and 17 IT-related goals that take the guesswork out of ensuring we consider all dimensions in our decision-making processes.
A majority of the security compliance auditing practices used today in the industry are based off of COBIT.
COSOは、コーポレートガバナンスのモデルのひとつ。(金融系) COBITは、COSOフレームワークから派生したもの。COSOの内容をほぼ内包する。 COBITとCOSOの違いは、COBITは、ITの観点から見ている点。
While CobiT helps a company define risk goals at an operational level, COSO helps a company define organizational risks at a business level. While CobiT is a model for IT governance, COSO is a model for corporate governance. CobiT was derived from the COSO framework
CobiT is a framework that defines goals for the controls used to properly manage IT and ensure that IT maps to business needs. It is broken down into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Each category drills down into subcategories.
Zachman框架:是一个二维模型,它使用了6个基本的疑问词(什么、如何、哪里、谁、何时、为何)和不同的视知观点(计划人员、所有者、设计人员、建设人员、实施人员和工作人员)二维交叉,它给出了企业的一个整体性理解。
开放群组架构框架(The Open Group Architecture Framework,TOGAF):它由美国国防部开发并提供了设计、实施和治理企业信息架构的方法。架构允许技术架构设计师从企业的不同视角(业务、数据、应用程序和技术)去理解企业,以确保开发出环境及组件所必需的技术,最终实现业务需求。
舍伍德的商业应用安全架构(Sherwood Applied Business Security Architecture,SABSA):是一个分层模型,它在第一层从安全的角度定义了业务需求。
COBIT(Control Objectives for Information and related Technology,信息及相关技术的控制目标):是一组由国际信息系统审计与控制协会(ISACA)和IT治理协会(lTGI)制定的一个治理与管理的框架。
COSO内部控制整合框架:是由反欺诈财务报告全国委员会发起组织委员会(Committee of Sponsoring Organizations,COSO)于1985年开发的,是用来处理财务欺诈活动并汇报。
ISO/IEC 27000系列: ISO和IEC联合开发的关于如何开发和维护信息安全管理体系的国际标准。
ITIL:作为一种以流程为基础、以客户为导向的IT服务管理指导框架,它摆脱了传统IT管理以技术管理为焦点的弊端,实现了从技术管理到流程管理,再到服务管理的转化。
能力成熟度模型集成(Capability Maturity Model Integration,CMMI):由Carnegie Mellon大学开发,以此作为确定组织流程成熟度的一种方式。
NIST outline some self testing techniques:
味方の情報及び情報システムを防護し、かつ敵のそれを攻撃・攪乱・妨害する敵味方相互の情報活動をいう。
SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a nondisclosure agreement (NDA).
In reduction analysis, the security professional breaks the system down into five key elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls.
Special Publications in the 800 series present documents of general interest to the computer security community.
CIA: confidentiality, integrity, and availability.
Control functionalities:
• ISO/IEC 27000 series International standards on how to develop and maintain an ISMS developed by ISO and IEC
Zachman Framework Model:
TOGAF Model and methodology:
DoDAF: • DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals
MODAF: • MODAF Architecture framework used mainly in military support missions developed by the British Ministry of Defence
SABSA (Sherwood Applied Business Security Architecture ):
For an enterprise security architecture to be successful in its development and implementation, the following items must be understood and followed:
COBIT
NIST SP 800-53
COSO IC
SOX
• ITIL Processes to allow for IT service management developed by the United Kingdom’s Office of Government Commerce • Six Sigma Business management strategy that can be used to carry out process improvement • Capability Maturity Model Integration (CMMI) Organizational development for process improvement developed by Carnegie Mellon University
Organisation for Economic Co-operation and Development (OECD) :
GDPR: The GDPR defines three relevant entities: • Data subject The individual to whom the data pertains • Data controller Any organization that collects data on EU residents • Data processor Any organization that processes data for a data controller Key provisions of the GDPR include • Consent • Right to be informed • Right to restrict processing • Right to be forgotten • Data breaches (report a data breach within 72 hours)
Civil (Code) Law System: rule-based law not precedent-based
Common Law System: Based on previous interpretations of laws.
Criminal:Based on common law, statutory law, or a combination of both.
Administrative (regulatory):
Customary Law System
Religious Law System
Mixed Law System
Trade Secret
Copyright: the 70 years start counting after the death of the last surviving one.
Patent: 20 years from the date of approval
Privacy: personally identifiable information (PII)
Security policy: an overall general statement produced by senior management (or a selected policy board or committee). Types of Policies:
Standards: refer to mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction.
///