9--Change management and security management

First, change management
1, the principle of change management is the first?
The principle of change management is to first establish the project baseline, change process and change Control Committee.

2 , what are the more configuration tools in China? (3)
There are rational c1earcase, visualsvurcesafe and concurrent Versions systemp.

3 , CCB is a decision-making body or a working organization?
CCB is the decision-making body

4 , what is the role of the project manager in the change?
The role of the project manager in the change is to respond to the requirements of the change author, to assess the impact of the change on the project and to respond to the plan, to translate the requirements from technical requirements to resource requirements for the decision of the authorized person: and according to the results of the review, the project benchmark is adjusted to ensure that the project benchmark reflects the implementation.

5 , change of working procedure? Remember
(1) Submit and accept the change request
(2) Preliminary examination of changes
(3) The change of the project demonstration,
(4) Project Change Committee review
(5) Issue notice of change and start implementation
(6) Change Implementation Monitoring
(7) Change effect evaluation
(8) Determine whether the project after the change has been put on track.

6 , what is the purpose of the preliminary revision? Remember
① influences the change, confirms the need for change, and ensures that the change is valuable.
② format verification, completeness, and ensure that the information required for evaluation is fully prepared.
③ in the stakeholder agreement on the proposed change information for evaluation.
④ the usual way to change the preliminary examination is to change the approval flow of the application document.

7 , what are the aspects of the evaluation of the change effect?
① first assessment basis, is the project of the registration.
② also need to combine the original intention of the change to see whether the purpose of the change is achieved.
③ evaluates the technical argumentation in the change plan, the gap between the economic argumentation content and the implementation process and advances the solution.

8 , for change, when can you use batch processing, priority-based ways to improve efficiency?
In the case of the overall pressure of the project, it is more important to emphasize the proposed change, the processing should be standardized, can use batch processing, sub-priority and other ways to improve efficiency.

9 , small project size, and other projects associated with the hour, high-tech should be simple and efficient, need to pay attention to which three points?
(1) exert influence on the factors that result from the change. Prevent unnecessary changes, reduce unnecessary assessments, and improve the efficiency of the adoption of necessary changes.
(2) The confirmation of the change shall be formalized.
(3) The operation process of the change should be standardized.

Ten , what topics should be included in the control of progress changes? Remember
(1) determine the current status of the project's progress.
(2) exert influence on the factors causing the change of schedule.
(3) ascertain whether the progress has been changed.
(4) manage the actual changes as they occur.

11 , what are the topics for controlling cost changes?
(1) (2) Ensure that the request for change is agreed.
(3) Manage these actual changes when a change occurs.
(4) Ensure that potential cost overruns do not exceed authorized project stage funds and overall funding.
(5) supervise the cost performance and identify deviations from the cost benchmark. The
(6) accurately records all deviations from the cost benchmark.
(7) Prevent erroneous, inappropriate, or unapproved changes from being included in the expense or Resource Usage report.
(8) Notify interested parties of changes to the validation.
(9) Take measures to control the anticipated cost overruns within an acceptable range.

A , please briefly describe the difference between change management and configuration management.
If the project as a whole is treated as a configuration item, configuration management can be considered as a system for project integrity management, and change management can be considered as part of the project baseline adjustment.
There are also two sets of mechanisms associated with change management and configuration management, which are called by the configuration management system when change management is adjusted by a project delivery or a baseline configuration: Change management should ultimately be fed back to the configuration management system to ensure that project execution is consistent with the project's accounts.

Second, security management
1, information Security ternary group is what?
Confidentiality, integrity, availability.

2 , and what is the confidentiality of data generally implemented?
Network security protocols, authentication services, Cryptographic services.

3 , what are the technologies that ensure data integrity?
Non-repudiation of message source, firewall system, communication security, intrusion detection system.

4 , what technologies are available to ensure availability?
Disk and system fault tolerance and backup, acceptable login and process performance, and reliable functional security processes and mechanisms.

5 , in iso/iec27001, the content of information security management is summed up in which 11 aspects?
Information security Policy and strategy, organization of information security, asset management, human resource security, physical and environmental security, communication and operational security, access control, information system acquisition, development and maintenance, security incident management, business continuity management, compliance.

6 , what is business continuity management?
Disruption of business activities should be prevented, protection of critical business processes from significant information system failures or disasters and ensuring their timely recovery. The business continuity management process should be implemented to reduce the impact on the organization and to restore the loss of information assets to an acceptable level through the combination of prevention and recovery control measures. This process requires identifying critical business processes and integrating business continuity information security management requirements with other sustainability requirements such as operations, employee placement, materials, transportation, and facilities. The consequences of disaster, security failure service loss, and service availability should depend on the business

Impact analysis. Business continuity plans should be established and implemented to ensure the timely recovery of basic operations. Information security should be an integral part of the overall business continuity process and other management processes within the organization. In addition to the common risk assessment process, business continuity management should include control measures to identify and mitigate risks, limit the impact of harmful events, and ensure that the information needed for business processes is readily available.

7 , what are the security technologies commonly used in the application system?
Minimum authorization principle; anti-exposure; information encryption; physical secrecy.

8 , what are the main factors that affect information integrity?
The main factors that affect information integrity are equipment failure, error (error generated during transmission, processing and storage, timing stability and accuracy reduction, error caused by various sources of interference), human attacks and computer viruses.

9 , and what are the main ways to ensure the integrity of the application system?
Protocol; Error correcting coding method; password checksum method; digital signature; notarization.

Ten , which property is generally measured by the ratio of normal use time to the total working time of the system?
availability is generally measured by the ratio of the system's normal usage time to the total working time.

One , in the security management system, different security level of the security management agencies in which order to gradually establish their own information security organization management system?
To be equipped with safety management personnel, establish safety function department, set up a safety leadership group, lead in charge, establish information security Management department.

A , in the information System security management elements list, "Risk management" category, including which families? What families are included in the Business Continuity management category?

Risk management includes the family: risk management requirements and strategies, risk analysis and assessment, risk control, risk-based decision-making, risk assessment management. Business Continuity Management class includes the family: backup and recovery, security event handling.

- and gb/t20271-2006, how is Information system security technology system described? (one-level title only)
Physical security, operational security, data security.

- , for power supply, what is emergency power supply? Regulated power supply? Power protection? Uninterrupted power supply?
Emergency Power supply: Configure basic equipment with low voltage resistance, improved equipment or stronger equipment such as basic ups, improved UPS, multi-level ups, and emergency power supplies (generator sets).
Regulated power supply: the use of line voltage regulator to prevent the impact of voltage fluctuations on the computer system.
Power protection: Set up power protection devices such as metal oxide varistors, diodes, gas discharge tubes, filters, voltage regulator transformers, and surge filters to prevent/reduce power failures.
Uninterrupted power supply: the use of uninterrupted power supply, to prevent voltage fluctuations, electrical interference and power outages and other adverse effects on the computer system.

• the , personnel in and out of the room and operation of the scope of access control include?
  should be clear the responsibility of the computer room safety management, room access should be designated personnel responsible, unauthorized personnel are not allowed to enter the computer room: admitted to the room of visitors, its scope of activities should be limited, and the reception staff accompanied; room key is managed by person, without approval, No one is allowed to copy the computer room key or the server power-on key; no clear permission of the designated management, any record media, document materials and all kinds of protected products are not allowed to bring out of the room, and work unrelated items are not allowed to bring into the room, smoking in the room and into the fire and water.
  All visiting personnel shall be required to be duly approved and the records of registration shall be properly kept for future reference; Persons authorized to enter the computer room shall generally prohibit the carrying of electronic devices such as personal computers into the room, their scope of activities and operation should be restricted, and the reception staff of the machine room shall be responsible and accompanied.

- , for electromagnetic compatibility, computer equipment to prevent leakage of what content?
to prevent electromagnetic leakage of the computer equipment should be equipped with electromagnetic interference equipment, the protection of the computer equipment operating electromagnetic interference equipment is not allowed to shut down, if necessary, can be used to shield the machine room. The shielding room should be closed at any time, the shielding door should not be punched in the shielding wall, not outside the waveguide or not through the filter room inside and outside the shield to connect any cable; You should always test the leakage of the shielding room and make necessary maintenance.

- , which key positions of personnel to be unified management, allow one person more post, but business application operators can not be the other key positions of personnel concurrently?
Unified Management of information systems in key positions such as security administrators, system administrators, database administrators, network administrators, key business developers, System maintainers, and key business application operators; allow one person to do more work, However, business application operators cannot be part of other key positions.

- , business developers and system maintenance personnel can not take part in or hold positions?
business developers and system maintainers are not responsible for positions or jobs such as security administrators, system administrators, database administrators, network administrators, and key business application operators.

+ , the application system operation involves four levels of security, according to the granularity from coarse to fine sort what is? Remember
Sorting by granularity from coarse to fine is: system level security, resource access security, functional security, data domain security.

- , what is system-level security?
Isolation of sensitive systems, restrictions on Access IP address segments, restrictions on logon periods, session time limits, number of connections, restrictions on login times during a specific time period, and remote access control, system-level security is the first protection gate for application systems.

A , what is resource access security?
security control of access to program resources, on the client side, to provide users with their permissions related to the user interface, only the corresponding permissions to the menu and Action buttons, on the server side of the URL program resources and the business service class method of the call access control.

at , what is functional safety?
functional security can have an impact on program processes, such as whether a user needs to audit when operating a business record, upload attachments cannot exceed a specified size, and so on.

- , what is data domain security?
Data domain security includes two levels, one is row-level data domain security, which business records users can access, and the other is field-level data domain security, which is where users can access the fields of business records.

- , what is the scope of the system running security checks and records? (and describe each of the contents)
① access control checks for application systems. Includes physical and logical access controls, whether to increase, change, and cancel access rights according to prescribed policies and procedures, and whether the allocation of user rights follows the "least privilege" principle.
Log check of the ② application system. Includes database logs, system access logs, System processing logs, error logs, and exception logs.
③ Application system Availability check: Including system outage time, system uptime and system recovery time.
④ Application system capability check. including system resource consumption, system transaction speed and system throughput.
Safe operation check of ⑤ application system. Whether the user's use of the application system is based on information security related policies and procedures

For access and use.
⑥ Application System Maintenance check. Whether the maintenance problem is resolved within the stipulated time, whether the problem is solved correctly, whether the process of solving the problem is effective, etc.
Configuration check of the ⑦ application system. Check that the configuration of the application system is reasonable and appropriate, and that each configuration component is functioning as it should.
⑧ malicious code checks. Whether there is malicious code, such as viruses, Trojan horses, covert channels resulting in application system data loss, corruption, illegal modification, information disclosure and so on.

- , classified according to the relevant provisions classified as: Top Secret , confidential and secret.

- , what are the three levels of reliability rating?
for the highest reliability requirements of Class A, the minimum reliability required for system operation is Class C, which is in the middle of Class B.

This article is from the "struggle more than" blog, please be sure to keep this source http://peenboo.blog.51cto.com/2865551/1761045

9--Change management and security management