Change management, information system security management and project risk management operations

Source: Internet
Author: User
Tags least privilege

First, change management


1, the change of the working procedure;


(1) Submit and accept the change request

(2) Preliminary examination of changes

(3) Change scheme demonstration

(4) Review of the Project change Control Committee

(5) Issue notice of change and start implementation

(6) Monitoring of change implementation

(7) Evaluation of change effect

(8) Determine whether the project after the change has been incorporated into the normal track.


2, change the first instance of 4 content;


(1) to influence the change, to confirm the necessity of the change, to ensure that the change is valuable.

(2) Format check, integrity check, to ensure that the evaluation information ready

(3) Agreement on the change information submitted for evaluation by the stakeholders.

(4) The common way to change the preliminary examination is to change the application document audit flow.


3. Control of progress change, including which topics.


(1) Determine the current status of the project progress

(2) Impact on factors that cause changes in schedule

(3) Find out if progress has changed

(4) manage the actual changes as they occur


Second, security management

1, which technology to achieve the confidentiality of information;


(1) Network security protocol

(2) Network authentication Service

(3) Data encryption service


2, which technology to achieve the integrity of information;


(1) Non-repudiation of message source

(2) Firewall system

(3) Communication security

(4) Intrusion detection system


3, which technology to achieve the availability of information;


(1) Fault tolerance and backup of disk and system.

(2) Acceptable login and process performance.

(3) Reliable and functional security processes and mechanisms.


4, the definition of reliability, and measurement methods.


Reliability refers to the probability that the system will not fail to complete the specified function at the specified time and under given conditions, usually measured by MTBF of the mean time between failures.


5. What are the common security technologies used in the application system?


(1) Minimum authorization principle

(2) Anti-exposure

(3) Information encryption

(4) Physical secrecy


6. What are the methods to ensure the integrity of the application system?


(1) Agreement

(2) Error Correcting coding method

(3) Password check method;

(4) Digital signature

(5) Notarization


7, the room for distribution of 8 kinds of power;


(1) Separate power supply

(2) Emergency power supply

(3) Standby power supply

(4) Regulated power supply

(5) Power protection

(6) Uninterrupted power supply

(7) Electrical noise protection

(8) Sudden incident protection


8, emergency power supply, voltage supply of the content;


Emergency power supply: Configure basic equipment with low voltage resistance, improved equipment or stronger equipment such as basic ups, improved UPS, multi-level ups and emergency power supplies (generator sets).

Regulated power supply, using line voltage regulator to prevent the influence of voltage fluctuation on computer system.


9, the application system operation, involving 4 levels of security, these 4 levels of security, according to the granularity from coarse to fine arrangement;


The level of security and secrecy involved in the operation of the application system includes system security, resource access security, functional security and data domain security. These 4 levels of security, by granularity from coarse to fine sort are: system-level security, resource access security, functional security. Data domain security.


10, which belongs to system-level security;


Isolation of sensitive systems, restrictions on Access IP address segments, restrictions on logon periods, session time limits, number of connections, restrictions on number of logins during a specific time period, remote access control, etc.


11, which belongs to the security of resource access;


Security control of access to program resources, on the client side, to provide users with their permissions related to the user interface, only the corresponding permissions to the menu and Action buttons, on the server side of the URL program resources and the business service class method calls access control.


12, which belongs to functional safety;


Functional security can have an impact on program processes, such as whether a user needs to audit when operating a business record, upload attachments cannot exceed a specified size, and so on.


13, the data domain security includes which 2 levels;

Data domain security includes two levels, one of which is row-level data domain security. The second is the field-level data domain security


14, the application system's access control inspection includes which;


Includes physical and logical access controls, whether to increase, change, and cancel access rights according to prescribed policies and procedures, and whether the allocation of user rights follows the "least privilege" principle.


15, the application system log check including which;


Includes database logs, system access logs, System processing logs, error logs, and exception logs.


16, the usability of the application system to check including which;


Including system outage time, system uptime and system recovery time, etc.


17, the application system maintenance check including which;


Whether the maintainability problem is resolved within the stipulated time, whether the problem is resolved correctly, and whether the process of solving the problem is effective.


18, the security level is divided into which 2 kinds;


Security level can be classified into classified and reliability level two

Classified according to the relevant provisions classified as top secret, confidential and secret.

Reliability class can be divided into three levels, the highest reliability requirements for a-class, system operation requires a minimum reliability of C-class, midway between the B-class.


Third, risk management

1, the risk management process includes which six steps;


(1) Risk management planning

(2) Risk identification

(3) Qualitative risk analysis

(4) Quantitative risk analysis

(5) Preparation of the response plan

(6) Risk monitoring


2, the risk of accidents, and the difference between risk factors;


In the case of an event, if it is the direct cause of the loss, then it is a risk accident;

Under other conditions, if it is an indirect cause of loss, it becomes a risk factor.


3. What are the methods of risk identification;


(1) Delphi Technology

(2) Brainstorming method

(3) SWOT Analysis method

(4) Checklist

(5) Graphic technique


4. What are the methods of risk qualitative analysis;


(1) Risk Probability and impact assessment

(2) Probability and impact matrix

(3) Risk classification

(4) Risk urgency assessment


5, risk qualitative analysis, according to the probability and impact matrix, high-risk measures, what is the low-risk measures;


High risk, dark grey represents high risk, need to take key measures, and adopt a positive response strategy,

Low risk, medium gray, simply put it in the list of risks to be observed or allocate additional contingency reserves, without any other immediate direct management measures.


6. What are the methods of risk quantitative analysis;


(1) Expected currency value

(2) Calculation analysis factor

(3) Program Review Technology

(4) Monte Carlo analysis


7, the negative risk of the response strategy there are 3, and each to give an example of the explanation;


Use avoidance is the risk or threat of (circumvention), shifting, and mitigating the three strategies that may negatively affect the project's response objectives.


Risk avoidance refers to changing the project plan to exclude risks or conditions, or to protect the project's objectives from being affected, or to relax some of the targets that are threatened.

Another important strategy for avoiding risk is to exclude the origin of risk by separating the source of risk from the path of the project through separation.


Transfer risk refers to the attempt to transfer the consequences of the risk, together with the responsibility for the response, to other parties, with a variety of transfer tools, including but not limited to the use of insurance, performance bonds, guarantees and bonds. Sell or outsource a part of the business that you are not good at or carry out at your own risk to entrust others with help, concentrating on your core business and effectively transferring the risk.


Mitigation means trying to reduce the probability or consequences of an adverse risk event to an acceptable threshold. For example, using less complex processes, implementing more tests, or choosing a more stable and reliable seller can mitigate the risk.


8. What are the 3 strategies for positive risk, and one example;


Use the risk of developing, sharing, and improving the three strategies that may have a positive impact on your project objectives.


Development, and if the organization wants to ensure that opportunities are fulfilled, it can take the risk of having a positive impact. The goal of this strategy is to eliminate certainty related to specific positive risks by ensuring that opportunities are realized.

Sharing, sharing positive risk is the allocation of responsibility for risk to third parties that are best able to gain access to the benefits of the project.

increase, by promoting or enhancing the cause of opportunity, actively strengthen its trigger conditions, increase the probability of opportunity occurrence, but also can focus on driving factors to improve project opportunities


9. At the same time apply to the negative risk and positive strategy is what, and examples.


At the same time apply to negative risks and positive strategies are accepted.

The strategy can be divided into active and passive ways, the most common way to proactively accept risk is to set up emergency reserves to deal with known or potential unknown threat opportunities. Passively accepting the risk does not require any action to be taken and left to the project team, subject to the situation when the risk occurs.


10. Definition of Risk audit

The risk audit is to examine and document the effectiveness of the risk response strategy in dealing with identified risks and their root causes, as well as the effectiveness of the risk management process.


Change management, information system security management and project risk management operations

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.