20151026 change management, information system security and risk management

First, change management
1, the change of the working procedure (8 );

• Submit and accept the change request;

• The preliminary examination of the change;

• Change the project argumentation;

• Project Change Control Committee review;

• Issue notice of change and commence implementation;

• monitoring of change implementation;

• Assessment of the effect of the change;

• Determine if the project has been incorporated into the normal track after the change has occurred

• 
  

2 , change of First instance 4 content of the article;

• Exert influence on the change initiator, confirm the necessity of the change, and ensure the change is valuable;

• Format check, integrity check to ensure that the information required for evaluation is fully prepared;

• To reach a consensus on the change information of the evaluation in the stakeholder's room;

• A common way to change the preliminary review is to change the approval flow of the application document.

• 
  

3 , control of progress changes, including which topics ( 4 bar).

• Determine the current status of the project progress;

• Exert influence on the factors causing the change of schedule;

• To ascertain whether progress has changed;

• Manage the actual changes as they occur.

  
  

II. Security management of information systems

1 and technologies to achieve the confidentiality of information;

• Network security Protocol;

• network authentication Service;

• Data encryption Services

2 and technologies to achieve the integrity of information;

• The source of the message is non-repudiation;

• Firewall system;

• Communication security;

• Intrusion Detection System

3 and what technologies are available to achieve the availability of information;

• Disk and system fault-tolerant and backup;

• Acceptable login and process performance;

• Reliable, functional security processes and mechanisms

4 , the definition of reliability, and the method of measurement.

reliability refers to the probability that the system does not fail to complete the specified function at a specified time and under a given condition, usually with an average interval ( MTBF ) to measure.

5 , application system commonly used secret technology has what ( 4 bar)?

• Minimum authorization principle;

• Anti-exposure;

• Information encryption;

• Physical encryption

6.What are the methods to ensure the integrity of the application system (5 )?

• Agreement

• Error correcting coding method;

• Password check and method;

• Digital signature;

• Notarization

7, the room for distribution of 8 kinds of power;

• power separately;

• emergency power;

• standby power;

• regulated power supply;

• power protection;

• uninterruptible power supply;

• electrical noise protection;

• Sudden event protection

  8 emergency power supply, The content of regulated power supply;

Emergency power supply: Configuration of basic equipment with low voltage, improved equipment or stronger equipment, such as basic UPS , improvement of UPS , Multilevel UPS and Emergency power supply (generator set) and so on.

Regulated power supply: the use of line voltage regulator to prevent the impact of voltage fluctuations on the computer system.

9, the application system operation, involving 4 levels of security, these 4 levels of security, according to the granularity from coarse to fine arrangement;

• System-level security;

• resource access security;

• Functional safety;

• Data domain security;

System-level security;

• Isolation of sensitive systems;

• Access IP the limit of the address segment;

• The limit of the logon time period;

• The limit of session time;

• The limit of the number of connections;

• Restrictions on login during a specific time period and remote access control

one, which belongs to the security of resource access;

• On the client side, to provide users with their permissions related to the user interface, only the display and its permissions to match the menu and action buttons;

• On the service side , the URL access control of program resources and calls to business service classes.

what is functional safety;

Users in the operation of the business record is, whether the need to audit, upload Fujian can not exceed the size of the formulation and so on. These security restrictions are not an entry-level limitation, but a limitation within a program's process, which in some way affects the running of the program flow.

Data domain security includes which 2 levels;

• Row-level data domain security;

• field-level data domain security

The access control checks of the application system are included;

including physical and logical access control, whether to follow the prescribed policies and procedures for the increase, change and cancellation of access rights, the allocation of user rights to follow " least Privilege " principles;

What is included in the log check of the application system;

• Database log

• system access log;

• System processing log;

• Error logs and exception logs

What are the usability checks of the application system;

• The interruption time of the system;

• The normal service time of the system;

• System Recovery time, etc.

The maintenance check of the application system includes which;

• Whether the maintainability problem is resolved within the stipulated time, whether the problem is solved correctly,

• Solve the problem whether it is effective, etc.

Thesafety level is divided into which 2 kinds;

The security level is classified into two types: classified level and reliability level.

Classified as confidential, confidential and secret.

reliable grades are divided into A.B.C Level Three

Third, risk management
1, the risk management process includes which six steps;

• Risk management Plan;

• Risk identification;

• qualitative risk analysis;

• Quantitative risk analysis;

• Plan editing;

• Risk monitoring

2, the risk of accidents, and the difference between risk factors;

The risk accident is the direct or extrinsic cause of the loss, is the medium of the loss, that is, the risk can lead to the loss only through the occurrence of the risk accident;

In the case of an event, it is a risk accident if it is the direct cause of the loss, and under other conditions it becomes a risk factor if it is the indirect cause of the loss.

3.What are the methods of risk identification (5 points);

• Delphi Technology;

• Brainstorming method;

• SWOT analytical method;

• Inspection tables;

• Graphic technology

4.What are the methods of qualitative risk analysis;

• Risk probability and impact assessment;

• Probability and image matrix;

• Risk classification;

• Risk urgency Assessment

5,qualitative risk analysis, according to the probability and impact matrix, high-risk measures, what are the low-risk measures;

High risk of taking charging measures, and adopt a positive response strategy;

Low risk, simply put it into the list of risks to be observed or allocate additional contingency reserves, without any other immediate direct management measures.

6.What are the methods of quantitative risk analysis (4 points);

• Expected currency Value ( EMV ) ;

• Computational analysis factor;

• Program Review Technology ( PERT )

• Monte Carlo Analysis

7, the negative risk of the response strategy there are 3 , and each to give an example of the explanation;

• Avoidance means changing the project plan to exclude risks or conditions, or to protect the objectives of the project from being affected, or to loosen the requirements for some of the targets under threat. such as extending the schedule or reducing the range.

• The transfer of the consequences of the risk, together with the responsibility for the response, to other parties.

• To reduce the probability and consequences of an unfavorable risk time to an acceptable threshold. Setting redundant builds in a subsystem at design time can mitigate the impact of legacy component failures.

8.What are the 3 strategies for positive risk , and one example;

• To eliminate the uncertainties associated with specific positive risks by ensuring that opportunities are achieved. Direct pioneering measures include the allocation of more capable resources to the project in order to shorten the completion time or achieve higher quality than originally expected.

• Sharing refers to assigning the responsibility of risk to third parties that are best able to gain access to the profits of the project, including establishing a risk-sharing partnership, or forming a team, a special-purpose project company or a cooperative joint venture specifically for the purpose of the opportunity management;

• Improve, A driver that identifies and maximizes these positive risks by increasing the probability of positive risks or their positive effects, and is committed to changing opportunities " size " .

9. At the same time apply to the negative risk and positive strategy is what, and examples.

Risk monitoring

definition of risk audit

Risk audit is to examine and document risk coping strategies to deal with identified risks and their further effectiveness as well as the effectiveness of the risk management process.

This article is from the "cloth bird people-the Memory of Growth" blog, please be sure to keep this source http://jackmao90.blog.51cto.com/832047/1706550

20151026 change management, information system security and risk management