Author: juan_5515 Beijing reflect current safety standards heat: Because China's information security development at present is relatively backward, lack of standards and theoretical system, so we invested in their eyes abroad, so from Rainbows to CC, from BS7799 into ISO13335, SSE- CMM, IATF from NIST to GAO, NSA, to ITSM, ITIL, BS15000, and British, Canada, Australia ..., have a big time to talk about standards, and various standard certifications, especially in safety In the field of service, some people also blindly superstitically and worship against all kinds of foreign standards. It seems that there is nothing to talk about the standard, not talking about the standard, it is not professional, and it has been found to have a five-flowery thing. On the one hand, he has to read the English Chinese word. These hard things. But what is these standards bring to us? No political, foreign advanced standards and systems have a good promotion and guidance role in information security construction, and appropriate references are not well, but when you talk to foreign security standards, when you talk to foreign security standards, you think about these standards. Is it really suitable for China, what can they play, or whether their actual role is really as thinking about it? Are they worth spending time, go, go to promote? Take a few standards: 1 .BS 7799. First of all, BS7799 is from the UK. Nature has also been influenced by the British culture and legal system, but safety is not only technical issues, but also social and legal issues, simply, safety is not only a personal thing, or the country is still a country, for BS7799 - 1: When voting, the Western 7 countries except the UK, all other opposition, the basics of the agreement is the British Federal Country, or the UK's cultural colony, indicating this point; for example, some countries pointed out that ISO17799 privacy There is a conflict with their law, and privacy issues are a very sensitive issue; the control measures included in the BS7799 are not necessarily what you need. The BS7799 is not included, but it is not required, and BS7799 is a non-process It does not have a strict theoretical model, but it is only a high-level summary of the best security practices in various fields. The best practices contained in BS7799 have not been proven by security experts.
You have spent the power of nine bulls, through complex BS7799 certification, not necessarily guaranteed, when you use the CHECKLIST and security policy of the BS7799, if you want to think about it, you can think about it seriously; 2 "Women's standard Get the world "also applies to information security, no one wants to control the whole world, the standard is also part, the occupation of the standards will occupy the high point, you can raise yourself, put pressure on others, to occupy the market, information security, national interest, nature Important, the standard is the last threshold for non-developed countries to resist the information aggression of developed countries. Once this threshold is lost, you will not be safe, you use the products that have been evaluated in accordance with foreign standards, certified by foreign standards What can you do? 3 .nist's FIPS 140-2 is a recognized password module standard in the industry. It will also become an ISO standard in the future. The US Pakistan does not push FIPS to the world so they know that the standards used by your system, algorithm intensity, weakness, future You can break it calm; 4. Is it more than one person who is doing risk assessment, is it a standard for information security? First of all, the AS / NZS4360 is from more than a dozen departments such as the Australian Ministry of Commerce to fight the risk of organizational risks. It is not specially developed for information security risk assessments. Naturally, it will not talk about how to suit information security, such as its risk assessment Introduction, there is no assessment model, which is equally uniform; after the AS / NZS4360 is, it is more early. At that time, there is not much risk management standard. The so-called first inventory is mainly, naturally, due to its allies such as New Zealand. , The UK, etc., etc., the AS / NZS4360 supported, I saw a number of security vendors directly quoted or imitated this standard in their programs. As for the role, it seems that everyone is too lazy to think, anyway, foreign standards, general meeting Isn't it strong? 5. From the perspective of communication communication, it is best to have only one standard around the world. From the perspective of national security, it is best to make all the standards and abroad, just like the railway between China and Russia, the orbital is different. of. The standard means open, interoperable, weakness, if you proudly claim that your system reaches the CC EAL4 security level, that means you also have an EAL4 defect, using the EAL5 analysis method to solve you; 6. Certification and Can the testing mechanism trust? First of all, I don't talk about the commercial assessment of the show. That is to buy it with money; then those official or half-official institutions, look at their so-called evaluation, or equivalent to adopt international standards, either it is closed, private Contradiction, five flowers, although historical reasons, but also reflect them not trustworthy, "50,000 purchase certificate", "20,000 buy certificate" is not a hole in the wind, they are also a profit organization, they need to sell XX certificates to support themselves; Some ideas worthnecting: 1 Strict compliance with safety standards will be safe; 2 certified systems will be safe, do not believe that there is a trap in safety certification; 3 The so-called third party certification testing mechanism can trust; the above is just a personal point of view, what to think of Speaking, I hope to throw bricks, welcome everyone to correct, in-depth discussion.
-------------------------------------------------- ---- author: Yishui Han Jiang Xue like eyes closed, suddenly saw a big vulgar information security community: show off. One: How to become a letteran expert 1: The earliest seems to be PDR or CC is unable to pass, anyway, from PDR, a pile of things come out: P2DR, PDRR, ...; CC's famous picture (remember is Figure 4.1 ) Also derived a lot of four sisters. 2: SSE-CMM, in fact, there are several good pictures, but this process is a little short; the end of last year is IATF this year, but IATF technology is slightly more, and the concept is slightly less, it seems that many people feel Some are awkward, not too dare to act, so I often see the words "flying" this Chinese is difficult to understand. 3: Then the 13335 famous map (generally Figure 2 Figure 3) is also "innovative". At present, 17799 is being hot / fried (but it seems to be no picture) 4: Forecast: The next sale must be a Nist SP800 series, have seen signs. Those brothers who don't consciously don't believe themselves, don't be self-defeating, there is no relationship, we have shortcut: first from SP800: 800-30, 800-37, 800-53, 800-60, 800-59, 800-26, 800- 61 ,. . . If there is time or hard work, then find and keep in mind some related background and knowledge knowledge, such as FISMA, OMB-130, NIST, FIPS, then the cattle is big, hurry. Have you understood it? In fact, experts are quite easy! Two: How to make others feel that you like a letteranist expert to think that you are still a skill, especially when it is a true expert. 1: Words: Use words must pay attention to, try to avoid any stereo safety, active security this ordinary person can detach the language, significant. It is necessary to use the depth defense, deep defense, one is a general person can't say it, followed by letting you know that you are very familiar with IATF. For example, Nist SP800-53 can only say 53, ISO / IEC 17799 is simplified to 7799. 2: Statistics: For some things that are hot fried, in addition to understanding their content, there must be some of these data, such as 10 control options, 36 control goals and 127 control measures in 7799 to be open You can come, of course, if you know what the new version of the 7799 is changed, you must add it. 3: Background: The hotspot cannot be limited to surface understanding, must dig its background, such as who is the Monitor Reference Model who is proposed in what The same is true of PDR. The picture of the fisma learned what 37, 53, 18, 30 is alive. 4: Do you want to change the concept of hotspots, the map is changed (generally not a problem), then find any "communication". It will be a big man in the future, I will propose the first year. . . Of course, talk naturally. This strike seems to have been used in the jar. 5: If you have the opportunity to be able to walk in the PPT of the believer's meeting (there is still an old man like this), then you can talk about it, who is the expert attaches great importance to your view, I / time he. . . . . .
Third: What activities do they want to participate in Xin'an experts? Light understands those criteria and will say some jet, to become a letter to participate in activities, establish a person. 1: Be sure to participate in a variety of conferences, know what everyone is speculating. This will now be more, especially in the Beijing-Shanghai wide area. If it is the opportunity of this else, but it doesn't matter, there is a matter of Lei Feng in the jar. After returning home, I quickly followed the two digestive practice. 2: Keep paying attention to the idea of the college, for example, how is the academician, Shen Qi, Zhao Big, Teacher Cui Shukun, Que Chengyi, File Wen, Teacher Jia Yinghe, Duhong, Jingqing, Ning Jiajun, etc. Everyone, the National Information Center, the National Evaluation Center,. . . What are you saying, be sure to remove, for example, you can see the gang of the Evaluation Center is CC, training, because they rely on these earning money, information center is talking about evaluation. To try to understand, skills and capabilities depending on it. Some of the tits have indeed cultivated this. 3: Participate in various topics and project groups, such as editing books, drafting a standard, this is not too difficult in Beijing. Because these institutions are missing people, they will have a company to ran to participate in the company. If you are fortunate enough to go in these companies, you can blow it outside in the future, even if you are afraid of your heart I understand that I am nothing. Sometimes this is also used in the second point. For example, how much you want to participate in these topics, these teachers are full, and the ears are also very soft. 4: No matter what you can't let others know that you are in the real situation in these project groups, including your boss, what is your colleague. Be sure to be the bovine XX. 5: To mention what you are in front of other people, if you can recommend it, you can recommend it, then you can recommend it. Yes. 6: Write some articles of playing concept, standard, model, no relationship, information security is blurred, don't worry about others say you don't understand, of course, you don't talk about password technology, you have to understand password, then you don't have to see me. These fast guides. Fourth: What research do you do in Xinan experts? It is of course necessary to study, otherwise it is just in the intermediate level. But the study also got a good topic, and if you have a chat, you have to put yourself. Therefore, it is noticeable to determine, you can make a little effect, because we are fast, such things have not spoiled, don't spend some time. Xiang Ge can recommend but not limited to the following directions: 1: SOC, there is a security audit platform, event association, etc., this kind of thing is not possible, the ideal goal is not possible. Their basic support theory, that is, artificial intelligence technology, there is no breakthrough. So this direction is basically more bold, how big it is. . . Let's give play to your imagination, you can use what is the information collected by Syslog, SNMP, etc., you can use it. Data simplification, association, excavation, visualize these concepts, professors, but also care about our speed expert code? 2: Risk assessment. Keep in mind r = f (v, t, p, i), of course, this function can be actively modified as III. Then 7799, 13335, 30, if necessary, can add those supplemental criteria in the previous reply. Because no one dares to say what it is using (like brother investigates), you will boldly study. In this study, it is necessary to fully practice the recommendations of one, two, and three. 3: Level protection.
After the 27th text, I started fire. According to the state request, three years is a stage, you have sufficient time at this stage, and the relevant documents can be referred to 18, 30, 37, 53, 60, 59, TCSec, CC can also refer to it. Thousands of attention, don't go to read these standards, then I've been bigger, how many time do we have? But must figure out their structure, purpose, interrelationship, and in accordance with the like one, two requirements to keep in mind some key vocabulary, content, especially pay, must pay attention to the name of the document (or not only the number), Otherwise it will make people be happy. Some institutions are 7799, IATF, SSE-CMM direct clipping to grade protection, refer to a famous authoritative assessment agency. 4: Listening to other experts, you should keep up with the times. -------------------------------------------------- ---- author: Yishui Han Jiang Xue juan_5515 wrote: reflect current safety standards heat: because China's information security development at present is relatively backward, lack of standards and theoretical system, so we invested in their eyes abroad, then from Rainbows to CC, from the BS7799 to ISO133335, SSE-CMM, IATF from NIST to GAO, NSA, to ITSM, ITIL, BS15000, and British, Canada, Australia ... Various standard certifications, especially in the field of safety services, some people also blindly superstitically and worship against all kinds of foreign standards. It seems that there is nothing to talk about the standard, not to talk about the standard, it is not professional, and it is found to come to the five flowers. Things, on the one hand, I have to read these hard things with English-Chinese words. But what is these standards bring to us? No political, foreign advanced standards and systems have a good promotion and guidance role in information security construction, and appropriate references are not well, but when you talk to foreign security standards, when you talk to foreign security standards, you think about these standards. Is it really suitable for China, what can they play, or whether their actual role is really as thinking about it? Are they worth spending time, go, go to promote? I have such an idea for the standard lag: 1. From essential, the standard is relatively lag. This is the same as the knowledge they have learned in the university, because since it is called the standard, it is inevitably the concept after practical inspection, then relatively, the standard is definitely backward. 2, from government agencies don't talk. Last (seemed to be October last year) a promotion meeting of CC standards held by the National Information Security Product Evaluation Certification Center (our company also participated, where did the Taiwan "booth"), will last for an old man (Amazing is very big, the voice of the voice) is the 17859 standard used by the Ministry of Public Security, and it is recommended to use the CC standard, saying that it is the standard (from the rainbow series) is the standard of the United States in the mid-1980s, and some so-called Experts, authoritative actually as a sunflower collection, it is really sad, poor, sigh. In fact, the current foreign NS standards are developed by government funding by the relevant functions, and now, in China, my country has been further strengthened in terms of standard development and participation. A standard introduction should be brewing for several years, eventually become an international standard, at least 3 years, after the international standard, the country officially decided to bid, and then translated, then officially published, and it takes about 2 years. Therefore, everyone has studied the standards of foreign countries.
