信息安全管理（影印版）

.octave approach
information security risk
three phases
octave variations
common elements

chapter 2 principles and attributes of information security risk evaluations
2.1 introduction
2.2 information security risk management principles
2.2. 1 information security risk evaluation principles
2.2.2 risk management principles
2.2.3 organizational and cultural principles
2.3 information security risk evaluation attributes
2.4 information security risk evaluation outputs
2.4.1 phase 1: bufid asset-based threat profiles
2.4.2 phase 2: identify infrastructure vulnerabilities
2.4.3 phase 3: develop security strategy and plans

part ii the octave method
chapter 3 introduction to the octave method
3.1 overview of the octave method
3. 1.1 preparation
3. 1.2 phase 1: build asset-based threat profiles
3. 1.3 phase 2: identify infrastructure vulnerabilities
3. 1.4 phase 3: develop security strategy and plans
3.2 mapping attributes and outputs to the octave method
3.2. 1 attributes and the octave method
3.2.2 outputs and the octave method
3.3 introduction to the sample scenario

chapter 4 preparing for octave
4.1 overview of preparation
4.2 obtain senior management sponsorship
of octave
4.3 select analysis team members
4.4 select operational areas to participate in octave
4.5 select participants
4.6 coordinate logistics
4.7 sample scenario

chapter 5 identifying organizational knowledge (processes 1 to 3)
5.1 overview of processes 1 to 3
5.2 identify assets and relative priorities
5.3 identify areas of concern
5.4 identify security requirements for most important assets
5.5 capture knowledge of current security practices and organizational vulnerabilities

chapter 6 creating threat profiles (process 4)
6.1 overview of process 4
6.2 before the workshop: consolidate information from processes 1 to 3
6.3 select critical assets
6.4 refine security requirements for critical assets
6.5 identify threats to critical assets

chapter 7 identifying key components (process 5)
7.1 overview of process 5
7.2 identify key classes of components
7.3 identify infrastructure components to examine

chapter 8 evaluating selected components (process 6)
8.1 overview of process 6
8.2 before the workshop: run vulnerability evaluation tools on selected infrastructure components
8.3 review technology vulnerabilities and summarize results

chapter 9 conducting the risk analysis (process 7)
9.1 overview of process 7
9.2 identify the impact of threats to critical assets
9.3 create risk evaluation criteria
9.4 evaluate the impact of threats to critical assets
9.5 incorporating probability into the risk analysis
9.5. 1 what is probability?
9.5.2 probability in the octave method

chapter 10 developing a protection strategy--workshop a (process 8a)
10.1 overview of process 8a
10.2 before the workshop: consolidate
information from processes 1 to 3
10.3 review risk information
10.4 create protection strategy
10.5 create risk mitigation plans
10.6 create action list
10.7 incorporating probability into risk mitigation

chapter 11 developing a protection strategy--workshop b(process 8b)
11.1 overview of process 8b
11.2 before the workshop: prepare to meet with senior management
11.3 present risk information
11.4 review and refine protection strategy, mitigation plans, and action list
11.5 create next steps
11.6 summary of part ii

part iii variations on the octave approach
chapter 12 an introduction to tailoring octave
12.1 the range of possibilities
12.2 tailoring the octave method to your organization
12.2. 1 tailoring the evaluation
12,2.2 tailoring art/facts

chapter 13 practical applications
13.1 introduction
13.2 the small organization
13.2. 1 company s
13.2.2 implementing octave in small organizations
13.3 very large, dispersed organizations
13.4 integrated web portal service providers
13.5 large and small organizations
13.6 other considerations

chapter 14 information security risk management
14.1 introduction
14.2 a framework for managing information security risks
14:2. 1 identify
14.2.2 analyze
14.2.3 plan
14.2.4 implement
14.2.5 monitor
14.2.6 control
14.3 implementing information security risk management
14.4 summary
glossary
bibliography

appendix a case scenario for the octave method
a.1 medsite octave final report: introduction
a.2 protection strategy for medsite
a.2. 1 near-term action items
a.3 risks and mitigation plans for critical assets
a.3. 1 paper medical records
a.3,2 personal computers
a.3.3 pids
a.3.4 abc systems
a.3.5 ecds
a.4 technology vulnerability evaluation results
and recommended actions
a.5 additional information
a.5. 1 risk impact evaluation criteria
a.5.20therassets
a.5.3 consolidated survey results
appendix b worksheets
b.1 knowledge elicitationworksheets
b. 1.1 asset worksheet
b. 1.2 areas of concern worksheet
b. 1.3 security requirements worksheet
b. 1.4 practice surveys
b. 1.5 protection strategy worksheet
b.2 asset profile worksheets
b.2. 1 critical asset information
b. 2.2 security requirements
b.2.3 threat prone for critical asset
b.2.4 system(s) of interest
b.2.5 key classes of components
b.2.6 infrastructure components to examine
b.2.7 summarize technology vulnerabilities
b.2.8 record action items
b.2.9 risk impact descriptions
b.2.10 risk evaluation criteria worksheet
b.2.11 risk profile worksheet
b.2.12 risk mitigation plans
b.3 strategies and actions
b.3.1 current security practices worksheets
b.3.2 protection strategy worksheets
b.3.3 action list worksheet
appendix c catalog of practices
about the authors
index

第i部分 引 言
第1章 信息安全管理
1．1 信息安全
1．2 信息安全风险评估和管理
1．3 一种信息安全风险评估的方法
第2章 信息安全风险评估的原则和属性
2．1 简介
2．2 信息安全风险管理原则
2．3 信息安全风险评估的属性
2．4 信息安全风险评估的输出，

第ii部分 octave方法
第3章 octave method简介
3．1 octave方法简介
3．2 把属性和输出映射到octave method
3．3 情节实例简介
第4章 为octave做准备
4．1 准备概述
4．2 争取高层管理部门支持octave
4．3 挑选分析团队成员
4．4 选择octave涉及的业务区域
4．5 选择参与者
4．6 协调后勤工作
4．7 情节实例
第5章 标识组织的知识
5．1 过程1到3概述
5．2 标识资源及其相对优先级
5．3 标识涉及区域
5．4 标识最重要的资源的安全需求
5．5 获取当前的安全实践和组织弱点的知识
第6章 建立威胁配置文件
6．1 过程4概述
6．2 讨论会之前：整理从过程1到3中收集的信息
6．3 选择关键资源
6．4 提炼关键资源的安全需求
6．5 标识对关键资源的威胁
第7章 标识关键组件
7．1 过程5概述
7．2 标识组件的关键种类
7．3 标识要研究的基础结构组件
第8章 评估选定的组件
8. 1 过程6概述
8．2 讨论会之前：对基础结构组件运行弱点评估工具
8．3 技术弱点评估及结果总结
第9章 执行风险分析
9．1 过程7简介
9．2 标识关键资源的威胁所产生的影响
9．3 建立风险评估标准
9．4 评估关键资源的威胁产生的影响
9．5 应用概率于风险分析
第10章 开发保护策略--讨论会a
10．1 过程8a简介
10．2 讨论会之前：整理从过程1到3中收集的信息
10．3 评审风险信息
10．4 制定保护策略
10．5 建立风险缓和计划
10．6 制定行动列表
10．7 在风险缓和中应用概率
第11章 开发保护策略--讨论会b
11．1 过程8b简介
11．2 讨论会之前：准备与高层管理部门会面
11．3 介绍风险信息
11．4 评审并提炼保护策略、缓和计划和行动列表
11．5 确定后续步骤
11．6 第ⅱ部分总结

第iii部分 octave方法的变体
第12章 剪裁octave方法简介
12．1 可能性范围
12．2 为组织剪裁octave方法
第13章 实际应用
13．1 引言
13．2 小型组织
13．3 超大型的、分散的组织
13．4 综合的web入口服务提供商
13．5 大型组织和小型组织
13．6 其他需要考虑的问题
第14章 信息安全风险管理
14．1 引言
14．2 信息安全风险管理的框架
14．3 实施信息安全风险管理
14．4 总结
术语表

附 录
附录a octave方法的实例情节
a．1 medsite的octave最终报告：引言
a．2 为medsite制定的保护策略
a．3 对关键资源的风险和缓和计划
a．4 技术弱点评估结果及建议的行动
a．5 补充信息
附录b 工作表
b．1 问题征集工作表
b．2 资源配置文件工作表
b．3 策略和行动
附录c 实践目录