代写essay参考-OCTAVE Allegro风险评估方法。本文是一篇由本站代写服务提供的代写essay参考范文,主要内容是根据IT专家知识服务机构Wisegate发表的一项研究,33%的人报告称OCTAVE Allegro是他们的首选框架,NIST 800–30也是他们的首选。这突出了OCTAVE快板的受欢迎程度。本篇essay指出OCTAVE Allegro为组织提供的关键优势是可以灵活地将其分为多个部分。由于它是全面的,组织选择对组织最具商业意义的部分的实现。下面就一起来看一下这篇代写essay参考范文。
Business Application:商业应用
According to a study published by Wisegate, an IT expert knowledge service, in which they as Chief Security Officers about the security methodologies used in their organization, 33% reported OCTAVE Allegro as their framework of choice along with NIST 800 – 30 both sharing top ranks. This highlights the popularity of the OCTAVE Allegro. The key advantage that OCTAVE Allegro provides an organization is the flexibilty to imokement it in parts. As it is comprehensive, organizations select implementation of portions that makses the most business sense to the organization.
The key strength of the OCTAVE Allegro risk assessment method is the all-inclusive consolidation of the threat profiles which provides significant intelligence for threat mitigation for most cases. OCTAVE does not require focus on all assets which is required in some other methodologies and frameworks, thus it saves a lot of time and helps keep the scope relevant ot the business context..
本篇essay提出OCTAVE Allegro风险评估方法的关键优势在于全面整合威胁概况,为大多数情况下的威胁缓解提供重要情报。OCTAVE不需要像其他一些方法和框架那样专注于所有资产,因此它节省了大量时间,并有助于保持范围与业务环境相关。
The main focus of OCTAVE Allegro is information assets. OCTAVE Allegro (defined to analyze risks with a greater focus on information assets, as opposed to the approach in information resources). The important assets in an organization are identified and assessed based on the context of how they are used, where they are stored, transported, processed, and how they are exposed to threats, vulnerabilities and disruptions as a result. This process helps reducing the possibility that major data gathering and the analysis are performed for assets that are not well defined. One of the advantages of using OCTAVE Allegro is that it can be performed in a workshop-style, collaborative setting and is supported with all the needed guidance, worksheets, and questionnaires, which are all available online for free. The method is also appropriate for use by individuals who want to perform risk analysis without extensive organizational involvement, expertise, or input.
同时essay指出OCTAVE Allegro的主要关注点是信息资产。OCTAVE Allegro(定义为分析风险,更加关注信息资产,而不是信息资源方法)。一个组织中的重要资产是根据其使用方式、存储、运输、处理地点以及因此面临的威胁、漏洞和中断的情况进行识别和评估的。这一过程有助于减少对未明确定义的资产进行主要数据收集和分析的可能性。使用OCTAVE Allegro的优势之一是,它可以在研讨会式的协作环境中进行,并得到所有必要的指导、工作表和问卷的支持,这些都可以在网上免费获得。该方法也适用于那些希望在没有广泛组织参与、专业知识或投入的情况下进行风险分析的个人。
Information is actually the property as well as other business assets. It is essential for an organization that information is suitably protected. This is especially important in a business environment that is increasingly internetworking with each other and where the information is exposed to a growing number of different types of threats and vulnerabilities. Information can exist in various forms. It can be printed or written on paper, stored or electronically transmitted by regular mail or electronic means, shown on film or in the form of conversation. Information stored in all those formats must always be protected appropriately. According to KPMG, one of the world’s largest auditors, what hasn’t been assessed, can’t be managed [7]. So, the first step in protecting the information is security risk assessment of equipment and procedures used for information processing and storage. This is especially important for institutions where the exploitation of vulnerabilities in information security can lead to significant loss of reputation or direct financial loss. In this paper we present and compare two methods for information security risk assessment. OCTAVE is a more detailed method for assessing information security risks. It is specially recommended for security risk assessment of information containers.
信息实际上是财产,也是其他商业资产。对一个组织来说,信息得到适当的保护是至关重要的。这一点在日益相互互联的商业环境中尤为重要,在这种环境中,信息面临着越来越多的不同类型的威胁和漏洞。信息可以以各种形式存在。它可以打印或写在纸上,通过普通邮件或电子手段存储或电子传输,以电影或对话的形式放映。以所有这些格式存储的信息必须始终得到适当的保护。本篇essay引用世界上最大的审计机构之一毕马威会计师事务所称,尚未评估的内容无法管理。因此,保护信息的第一步是对用于信息处理和存储的设备和程序进行安全风险评估。这对于利用信息安全漏洞可能导致声誉重大损失或直接经济损失的机构来说尤其重要。本文提出并比较了两种信息安全风险评估方法。OCTAVE是一种更详细的信息安全风险评估方法。特别推荐用于信息容器的安全风险评估。
National Institute of Standards and Technology (NIST) recommendations also used for IS risk assessment besides OCTAVE Allegro method. The risk assessment according to NIST is carried out in 9 steps followed by variety of the measures for mitigating risks [2], which is common to the OCTAVE method too. OCTAVE methodology can be further augmented by defining a time frame at the time of selecting measures for information risk reduction. OCTAVE is more precise and provides a more comprehensive outlook at the information risk. Defining the scope of the effort is the first step in assesment of risk according to the NIST guidelines whereas in OCTAVE Allegro method, criteria for measuring risk is dddone first as oer the guidelines of the business entity. The foundation for risk assessment of information assets of an organization is the criteria for measuring risk forms. In the absense of such criteria, measuring the degree to which the business is exposed to an impact if the risk is realized for information assets is not possible. The most important criteria for measuring risk in most organization are Reputation & Customer Confidence, Monetary, Safety, and Legal and Penalties. OCTAVE Allegro methodology is some years newer than NIST guidelines, and since the subtleties of change in current unpredictable business environment, OCTAVE Allegro methodology would therefore be more suitable for security risk assessment. OCTAVE Allegro method also provides tangible and superiorior examples of risk assessment and measures for mitigation risks.
除了OCTAVE Allegro方法外,美国国家标准与技术研究所(NIST)的建议也用于IS风险评估。根据NIST,风险评估分9个步骤进行,然后采取各种缓解风险的措施,这也是OCTAVE方法的常见方法。OCTAVE方法可以通过在选择降低信息风险的措施时定义时间框架来进一步扩展。OCTAVE更精确,对信息风险提供了更全面的展望。定义工作范围是根据NIST指南评估风险的第一步,而在OCTAVE Allegro方法中,测量风险的标准是根据商业实体的指南首先确定的。组织信息资产风险评估的基础是衡量风险形式的标准。在缺乏此类标准的情况下,如果信息资产实现了风险,则无法衡量业务受到影响的程度。在大多数组织中,衡量风险的最重要标准是声誉和客户信心、货币、安全以及法律和处罚。OCTAVE Allegro方法比NIST指南更新了几年,由于当前不可预测的商业环境变化微妙,因此OCTAVE阿莱格罗方法更适合安全风险评估。OCTAVE Allegro方法还提供了风险评估和缓解风险措施的具体和优越的例子。
per SANS guidelines, Information gathering is the first phase of risk assessment and it beigins with a step that necessitates creating a lsit of all the assets, including infrastrures, human resources and services used or intented for the system. Recognizing the possible threats is the second step followed by procuring owner’s data sensitivity classification. The fourth step is, identifying organizational and technical vulnerabilities and obtaining owner’s business impact ranking of a loss for all of the following security objectives: Availability, Integrity, Confidentiality, Accountability and Assurance. Those five important business goals are set clear and correctly, but unlike. In OCTAVE Allegro methodology, defining security goals is the second step process whereas, formulating an information asset profile is the third step following the establishment of risk measurement criteria, and that will be vital.
Essay根据SANS的指导方针指出,信息收集是风险评估的第一阶段,这一步骤需要创建所有资产的lsit,包括系统使用或打算使用的基础设施、人力资源和服务。识别可能的威胁是获取所有者数据敏感性分类的第二步。第四步是识别组织和技术漏洞,并获得所有者对以下所有安全目标的损失的业务影响排名:可用性、完整性、保密性、责任和保证。这五个重要的业务目标设定得清晰、正确,但不同。在OCTAVE Allegro方法中,定义安全目标是第二步,而制定信息资产档案是建立风险衡量标准后的第三步,这一点至关重要。
Empirical methods are typically derivative from a formalization of best practices and the theoretical methods which are justified by a formal model are the two main groups into which risk assessment are methods divided. In typically setting, the former is preferred as it approaches provide rational risk evaluations. A good risk assessment methodology should be both hands-on and theoretically complete. OCTAVE Allegro method fits both conditions.
经验方法通常衍生自最佳实践的形式化,而由形式化模型证明的理论方法是风险评估方法分为的两个主要组。在典型情况下,前者是首选,因为它的方法提供了合理的风险评估。一个好的风险评估方法应该是实践和理论上的完整。OCTAVE Allegro方法适用于这两种情况。
OCTAVE Allegro method provides a thorough and superior quality of analysis and assessment of security risks. OCTAVE methodology enables to measure more accurate and consequently better to reduce the risk of information security for a property. However, OCTAVE Allegro method can be complex and requires much more time and effort when it is applied to the same information security risk assessment of certain assets.
OCTAVE Allegro方法提供了全面、卓越的安全风险分析和评估质量。OCTAVE方法能够更准确地进行测量,从而更好地降低财产的信息安全风险。然而,OCTAVE Allegro方法可能很复杂,并且在应用于某些资产的相同信息安全风险评估时需要花费更多的时间和精力。
OCTAVE in the Healthcare Industry OCTAVE在医疗保健行业的应用
OCTAVE risk assessment has been recognized as the preferred methodology for HIPAA compliance, making it relevant to companies that have outsourcing relationships with firms regulated under HIPAA
OCTAVE风险评估已被公认为HIPAA合规性的首选方法,使其与与HIPAA监管公司有外包关系的公司相关
Department of Health and Human Services (HHS) as per Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) is required to establish national standards for the security of electronic healthcare information. It postulates a sequence of administrative, technical, and physical security safety measures for covered entities to use to safeguard the confidentiality, integrity, and availability of personally identifiable electronic health information. The standards are defined into required or addressable implementation specifications.
根据1996年《健康保险便携性和责任法案》,卫生与公众服务部需要制定电子医疗信息安全的国家标准。它假设了一系列行政、技术和物理安全措施,供相关实体使用,以保护个人身份电子健康信息的机密性、完整性和可用性。标准被定义为所需的或可寻址的实现规范。
The standard §164.308(a)(1) is the security management process. It states that a “covered entity must implement policies and procedures to prevent, detect, contain, and correct security violations.” Risk analysis and risk management are required implementation specifications for this standard.
标准§164.308是安全管理流程。它指出,“所涵盖的实体必须实施政策和程序,以防止、检测、遏制和纠正安全违规行为。”风险分析和风险管理是本标准的实施规范。
Risk Analysis: Covered entities must conduct an accurate and thorough assessment of the possible risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
风险分析:相关实体必须对其持有的受电子保护的健康信息的保密性、完整性和可用性可能存在的风险和漏洞进行准确彻底的评估。
Risk Management: Covered entities must contrivance security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the required HIPAA safeguards.
风险管理:相关实体必须制定足够的安全措施,将风险和漏洞降低到合理和适当的水平,以遵守所需的HIPAA保障措施。
As part of an early initiative to get a head start in meeting Risk Analysis and Risk Management requirements, OCTAVE was endorsed as the chosen information security risk assessment approach by the Security Working Integrated Project Team (WIPT), Office of the Assistant Secretary of Defense/Health Affairs (OASD/HA).
作为在满足风险分析和风险管理要求方面取得领先的早期举措的一部分,OCTAVE被国防部/卫生事务助理部长办公室安全工作综合项目组认可为选定的信息安全风险评估方法。
The OCTAVE methods have several important characteristics such as easy to execute and do not require large teams or advanced technical knowledge. They are also flexible and can be customized to address an organization’s particular risk environment, security needs and level of skill. Also, risks are addressed in business contexts providing easy to understand results. It can be used also as the foundation risk-assessment component or process for other risk methodologies in a “hybrid-risk assessment” approach. OCTAVE information security risk assessments covers all information security aspects being physical, technical or people. A drawback in OCTAVE’s various models is that they employ qualitative methodology only as opposed to quantitative approaches. Table 1 presents a detailed comparison matrix between the previously discussed standards.
OCTAVE方法具有几个重要特性,例如易于执行,不需要大型团队或高级技术知识。它们也很灵活,可以根据组织的特定风险环境、安全需求和技能水平进行定制。此外,风险是在业务环境中解决的,提供了易于理解的结果。它也可以用作“混合风险评估”方法中其他风险方法的基础风险评估组成部分或过程。OCTAVE信息安全风险评估涵盖所有信息安全方面,包括物理、技术或人员。OCTAVE的各种模型的一个缺点是,它们只采用定性方法,而不是定量方法。表1给出了先前讨论的标准之间的详细比较矩阵。本站提供各国各专业essay格式范文,essay代写以及essay写作辅导,如有需要可咨询本平台。