Evidence collection handling

Reporting and documenting

Investigative techniques

Digital forensics

Operational

Criminal

Civil

Regulatory

Electronic discovery (eDicsovery)

Intrusion detection and prevention

Intrusion detection and prevention

Continuous monitoring

Egress monitoring

Asset inventory

Configuration management

Physical assets

Virtual assets

Cloud assets

Applications

Need-to-know/least privilege

Separation of duties and responsibilities

Monitor special privileges

Job rotation

Information lifecycle

Service-level agreements

Media management

Hardware and software asset management

Detection

Response

Mitigation

Reporting

Recovery

Remediation

Lessons learned

Firewalls

Intrusion detection and prevention systems

Whitelisting/Blacklisting

Third-party security services

Sandboxing

Honeypots/Honeynets

Anti-malware

Backup storage strategies (e.g., offsite storage, electronic vaulting, tape rotating) a Recovery site strategies

Multiple processing sites (e.g., operationally redundant systems)

System resilience, high availability, quality of service, and fault tolerance

Response

Personnel

Communications

Assessment

Restoration

Training and awareness

Read through

Walkthrough

Simulation

Parallel

Full interruption

Perimeter

Internal

When it comes to day-to-day operations, few things are more important than maintaining the expected levels of service availability and integrity. Organizations require critical services to be resilient. When negative events affect the organization, the operations staff is expected to ensure minimal disruption to the organization’s activities. This includes anticipating such disruptions and ensuring that key systems are deployed and maintained to help ensure continuity. They are also expected to maintain processes and procedures to help ensure timely detection and response.

关键业务有弹性 保持连续性

Security operations are expected to provideday-to-day protection for a wide variety of resources, including human and material assets. They may not be responsible for setting strategy or designing appropriate security solutions. At a minimum, they will be expected to maintain the controls that have been put into place to protect sensitive or critical resources from compromise.

提供各种资产的日常维护

保护资产不被破坏

Under the current regulatory environment, there has been a renewed focus on maintaining control over users (subjects) that have access to key business systems. In many cases, these subjects have extensive or unlimited capabilities on a given system; these are privileges that could be misused or abused. Operations security will be expected to provide checks and balances against privileged accounts as well as maintain processes that ensure that there continues to be a valid business need for them.

维护用户访问关键业务系统的控制

提供各种帐号（尤其是特权帐号）的检查和平衡，确保这些帐号成为合理的业务需求

No security operations will be effective without strong service management and the processes that are put into place to ensure service consistency. These include key service management processes common to most IT services such as change, configuration, and problem management. It will also include security-specific procedures such as user provisioning and Help/Service Desk procedures. In today’s security operations, there is also considerable focus on reporting and continuous service improvement practices.

IT服务的变更、配置和问题管理

安全相关程序，如用户配资和服务台程序

关注报告和服务持续改进实践

适度谨慎 due care

适度勤勉 due deligence

using these solutions most effectively while also ensuring that privileged accounts are carefully

服务帐号

执行脚本的帐号

the provisioning of users用户配置

managing their access across multiple systems管理跨多系统的访问权限

native access control systems本地访问控制系统

need to know知所必需

Least privilege最小特权

特权帐号

普通或受限用户账号

定义：将一个关键任务分成不同的部分，每个部分由不同的人来执行

目的

原因

系统管理员

操作员

安全管理员

帮助/服务台人员

普通用户

许可、适用性和背景调查

以下情况不应被授予访问权限（如，基于IDS 和防火墙日志，应立即阻断某个IP的访问，但没有；调整时钟或删除日志等）

Account Validation帐户验证

Job rotations岗位轮换

双人操作

强制休假

■ Determine the impact the information has on the mission of the organization.确定信息对组织使用具有的影响

■ Understand the replacement cost of the information (if it can be replaced)了解信息的重置成本（如果它可以被取代）.

■ Determine who in the organization or outside of it has a need for the information and under what circumstances the information should be released.决定哪个组织需要这些信息和在什么情况下应该发布这些信息

■ Know when the information is inaccurate or no longer needed and should be destroyed.知道何时信息是不准确的或不再需要的，应当被销毁

Classification is concerned primarily with access分级关注访问

categorization is primarily concerned with impact分类关注影响.

standardize the defense baselines可使基线标准化

■ 降低存储成本

■ 只保存相关的信息，可加快搜索和索引

■诉讼保留和电子披露是不太可能会遇到错误，预决策或协商信息

SLA是一个描述客户从供应商获得服务水平的简单文档，展示服务测量指标、补救或如果达不到协议要求所遭受的惩罚

如果由于客户的原因导致SLA达不到，则不应该受罚

SLA

OLA（Operational Level Agreements

确保双方理解要求

确保协议没有被有意或无意的曲解

不同的级别不同的价格

协商的起点

Service elements

Management elements

SLA保持更新

供应商将不得不向客户支付由于担保违规造成的任何第三方费用

statistics

Service Availability

Defect Rates不良率

Technical Quality

Security

99 percent availability (which allows for over 7 hours of unplanned downtime per month

99.9 percent (43.8 minutes per month)

99.99percent (4.4 minutes per month).

■ The clients business needs have changed (for example, establishing an e-commerce site increases availability requirements). ■ The technical environment has changed (for example, more reliable equipment makes a higher availability guarantee possible). ■ Workloads have changed. ■ Metrics, measurement tools, and processes have improved.

Proposed changes should be formally presented to the committee in writing. The request should include a detailed justification in the form of a business case argument for the change, focusing on the benefits of implementation and costs of not implementing.

Members of the committee should determine the impacts to operations regarding the decision to implement or reject the change.

Requests should be answered officially regarding their acceptance or rejection.

Subsequent approvals are provided to operations support for test and integration development. The necessary software and hardware should be tested in a non-production environment. All configuration changes associated with a deployment must be fully tested and documented. The security team should be invited to perform a final review of the proposed change within the test environment to ensure that no vulnerabilities are introduced into the production system. Change requests involving the removal of a software or a system component require a similar approach. The item should be removed from the test environment and have a determination made regarding any negative impacts.

System users are notified of the proposed change and the schedule of deployment.

The change is deployed incrementally, when possible, and monitored for issues during the process.

The change is validated by the operations staff to ensure that the intended machines received the deployment package. The security staff performs a security scan or review of the affected machines to ensure that new vulnerabilities are not introduced. Changes should be included in the problem tracking system until operations has ensured that no problems have been introduced.

The outcome of the system change, to include system modifications and lessons learned, should be recorded in the appropriate records. This is the way that change management typically interfaces with configuration management.

the product, system, or item that is being managed throughout its lifecycle within the organization.

■ 组件集处于配置管理的支配下

■ 组件是如何命名的

■组建是如何输入和离开控制集的

■处于CM下的组件是如何被允许变更的.

■CM下的不同版本的组建是如何可用的

■在什么情况彼此每个都能使用

■CM工具是如何启动和加强配置管理的

1. 品牌

2.型号

3. M A C addresses

4. 序列号

5. Operating system or固件版本

6. Location

7. BIOS and other hardware-related passwords

8. Assigned IP address if applicable

9.组织资产管理的标签或条形码

1. Software name

2. Software vendor (and reseller if appropriate)

3. 密码或激活码 (note if there are hardware keys)

4. Type of license and for what version

5. Number of licenses

6. License expiration

7. License portability

8. Organizational software librarian or asset manager

9. Organizational contact for installed software

10. Upgrade, full or limited license

安全专家能迅速找到和减少与硬件类型和版本相关的漏洞

知道网络中硬件类型和位置能降低识别受影响设备的工作量

可以经扫描发现网络中未经授权的设备

记录和追踪配置的变更能提供网络完整性和可用性的保障

定期检查确保非授权变更

The main objective of a patch management program is to create a consistently configured environment that is secure against known vulnerabilities in operating systems and application software.

■ http://cve.mitre.org - The Common Vulnerability and Exposures database that provides the standard naming and numbering convention for disclosed vulnerabilities ■ http://nvd.nist.gov - An online database of known vulnerabilities managed by the U.S. National Institute of Standards and Technology (NIST) ■ http://www.us-cert.gov - An online resource for a wide variety of information on known vulnerabilities and remediation options

基于风险决策

补丁的重要程度

是否会影响到业务

安排更新

部署前通知用户

在夜间或周末更新

部属前备份服务器

可能会产生一些不可见问题

补丁管理是要知道关于安全问题和补丁发布两者的信息

知道与他们环境有关的安全问题和软件更新

建议专人和团队负责提醒管理员和用户的安全问题或应用的更新

1、补丁生命周期（patch cycle） 指导补丁的正常应用和系统的更新

2、作业计划处理关键安全和功能补丁和更新

系统的关键度

处理的数据

环境的复杂度

可用性需求

可用资源

来源（soucre）校验

完整性(integrity)校验

测试环境尽可能的接近生产环境

可以用生产系统的子系统作为测试环境

证明补丁成功具体里程碑和可接受标准

允许关闭变更系统中更新

工具选择

工具类型

及时完成

可控和可预期

对于任何已知漏洞或Bug什么系统需要修补？

系统是否更新真实的补丁？

资产和主机管理

管理工具

System discovery tools

补丁管理方案是团队技术提供基于协作解决组织独特要求的方针和运维的解决方案

帮助组织知道其所有部分

Vulnerabilities arise from flaws, misconfigurations (also known as weaknesses), and policy failures.

识别这些弱点

系统缺陷

配置错误

策略错误

conducted at the system console or through the use of agents on servers and workstations throughout the

identifying missing security updates on servers

identify unauthorized software or services that might indicate a compromised system

发现配置错误

指导所有与事件有关的活动并指导安全人员到一个预定义和预授权路径的解决方案。

描述在事件中所包含的各方的角色和职责中所采取的活动。

There is a large number of technical controls deployed at most enterprises. These controls need to be maintained and managed effectively if they are to be trusted to protect the enterprise. They will also be necessary to quickly alert the security professional when security incidents occur and assist them to respond more effectively. In security operations, the focus is less on the technologies themselves and more on the ways that they are managed in an operational environment.

边界控制

安全运营关注确保技术能够有效运行，并持续监控其有效性

ID/IPS

防火墙

Email security services安全邮件服务

fundamental to successful security operations报告是安全运营的基础

报告的预期受众

报告频率

identify and respond to suspected security-related events in real time or near real time.用来识别和应对实时或近实时的可疑安全相关事件

Network-based intrusion systems

host-based intrusion systems

IDS

IPS

Signature- or Pattern-Matching systems模式匹配（或签名分析）

Protocol Anomaly-Based systems基于异常协议的入侵检测系统

Statistical-Anomaly-Based systems基于统计异常的入侵检测系统

False-positives

False-negatives

installed on individual hosts, on systems部署在单个主机和系统上

Unified Threat Management(UTM)安全网关

continual updates持续更新病毒库

monitored to ensure they are still active and effective通过监控来确保防病毒系统始终存活和有效

automatic scanning for new media and email attachments.部署介质和邮件附件自动扫描策略

Scanning should be scheduled and accomplished on a regular basis.扫描应给定期安排和实施

One disadvantage of system logs is that they provide a view into that single system系统日志的缺点是只能提供单个系统的视角，不能提供相关事件的涉及多个系统的日志和信息

provide a common platform for log collection, collation, and analysis in real time提供一个公共平台，用于日志收集、整理、实时分析。

provide reports on historical events using log information from multiple sources提供使用来自多信息源并关于历史事件的报告

Log management systems are similar日志管理系统是类似的

maintain a disciplined practice of log storage and archiving维护严格的日志存储和归档纪律

Modern reporting tools can also be used to transform security event information into useful business intelligence.当今的报告工具可以将安全事件信息转换为有用的业务智能

■ The need to preserve forensic evidence for possible legal action.以合法行为来保存法庭证据

■ The availability of services the affected component provides.提供受影响的组件，保持服务的可用性

■ The potential damage that leaving the affected component in place may cause.替代受影响组件，避免可能造成的潜在损害

■ The time required for the containment strategy to be effective.需要时间来实施有效的遏制策略

■ The resources required to contain the affected component.需要资源来遏制受影响的组件

lead to further attack

defined to determine how an incident is routed when criminal activity suspected.

■ Does the media or an organizations external affairs group need to be involved?媒体或组织的外部事务组需要参与吗？

■ Does the organizations legal team need to be involved in the review?组织的法律团队需要参与评审吗？

■ At what point does notification of the incident rise to the line management,该事件在什么时间点应该上升到一线管理人，并通知中层管理人。

middle management, senior management, the board of directors, or the stakeholders?高层管理人？董事？股东的董事会？

■ What confidentiality requirements are necessary to protect the incident information?保护事件信息的保密性要求是什么？

■ What methods are used for the reporting? If email is attacked, how does thatimpact the reporting and notification process?用于报告的方法是什么？如果电子邮件系统被攻击，那么如何启动报告和通知程序？手机、固化，应急联系人？

Eradication is the process of removing the threat根除是消除威胁的过程。（如果一个系统感染了病毒而无法正常工作，那么彻底杀毒将根除这一问题。）

reviewing system logs, policies, procedures, security documentation, and network traffic capture if available to first piece together the history of the event that caused the incident

work backwards to determine what allowed the event to happen in the first place.逆向工作来决定事件发生的原因,层层向前推演,直到发现根源

R CA can quickly cross boundaries between technical, cultural, and organizational.RCA可迅速跨越技术、文化和组织之间的边界界限。

Remediation修复

Incident and problem management are intimately related

incident management

problem management

安全审计

security review安全评审

The outcome of the security audit and review process安全审计和评审的输出应列为将要有组织解决的项目和问题

One area that has traditionally been lacking in most organizations is proper evidence handling and management.

computer forensics, digital forensics, and network forensics to electronic data discovery, cyber forensics, and forensic computing.

基于有方法的、可验证的和可审计的程序和协议

为促进和加强发现犯罪事件的重建或者帮助预判非授权活动会终端计划运行，使用科学导向和证实的方法提取来自数据源的数字证据进行保护、收集、验证、识别、分析、解释、记录和展示。 “The use o f scientifically derived and proven methods toward the presentation, collection, validation, identification, analysis, interpretation, documentation and presentation o f digital evidence derived from digital sources for the purpose o f facilitating or furthering the reconstruction o f events found to be criminal, or helping to anticipate unauthorized actions shown to he disruptive to planned operations As 'a forensic discipline, this area deals with evidence and the legal system and is really the marriage o f computer science, information technology, and engineering with law. The inclusion o f the law introduces concepts that may be foreign to many security practitioners and security professionals. These include crime scene, chain o f custody, best evidence, admissibility requirements, rules o f evidence, etc. It is extremely important that anyone who may potentially be involved in an investigation is familiar with the basics o f dealing with and managing evidence. There is nothing worse than finding the proverbial smoking gun only to learn that the evidence cannot be used, will be suppressed, or, even worse, the information security professional has violated the rights o f the individuals in question and is now in worse trouble than the “bad guys.” Although different countries and legal systems have slight variations in determining how evidence and the digital crime scene should be handled, there are enough commonalities that a general discussion is possible.1

Identifying Evidence 识别证据

Collecting or Acquiring Evidence搜集或获取证据

Examining or Analyzing the Evidence检查或分析证据

Presentation of Findings展示证据

1. Identify the scene确定现场，

2. Protect the environment保护环境，

3. Identify evidence and potential sources of evidence确定证据和证据的潜在来源，

4. Collect evidence收集证据，

5. Minimize the degree of contamination降低污染度

物理环境

虚拟环境

动态证据

动机

机会

方式

惯用手法MO

罗卡交换定律

(e.g., United States National Institute of Standards and Technology (NIST), United States Department of Justice (DOJ)/ Federal Bureau of Investigations (FBI) Search and Seizure Manual, NIST SP 800-86: Computer Forensic Guidelines, SWGDE Best Practices for Computer Forensics, ACPO Good Practices Guide for Computer Based Evidence, IACIS forensic examination procedures).

当处理数字证据是，必须应用所有通用取证和程序原则.

抓取证据的行为不能改变证据.

当人员有必要访问原始数字证据时，这个人需要以此为目的进行培训.

所有与数字证据的扣押、访问、存储或传输有关的活动必须被完全记录、保留并在评审检查时可用.

当数字证据在某人身上时某人必须为所有关于数字证据的活动负责.

任何负责抓取、访问、存储和传输数字证据的机构对符合这些原则负责。

■ Minimize handling/corruption of original data.

■ Account for any changes and keep detailed logs of your actions.

■ Comply with the five rules of evidence.

■ Do not exceed your knowledge.

■ Follow your local security policy and obtain written permission.

■ Capture as accurate an image of the system as possible.

■ Be prepared to testify.

■ Ensure your actions are repeatable.

■ Work fast.

■ Proceed from volatile to persistent evidence.

■ Do not run any programs on the affected system.

虚拟团队

专职团队

混合模式团队

外包资源

legal department (in lieu of inhouse legal counsel, arrangements should be made with external counsel), human resources, communications, executive management, physical/corporate security, internal audit, IS security, and IT. 法律部门（内外部的法律顾问都可以）、人力资源、通信、高管、物理/企业安全、内部审计、IS安全以及IT部门等，也包括先关业务部门、系统管理员和任何能够辅助进行事件的调查和恢复的人员

Once the team has been established, it must be trained and stay current with its training.

Computer Emergency Response Team Coordination Center (CERT/CC), AusCERT Forum of Incident Response Teams (FIRST), NIST British Computing Society Canadian Communications Security Establishment (CSE)),

通用框架

If the appropriate groundwork has been laid, the next phase is the actual handling of an incident. triage, investigation, containment, and analysis and tracking.

定义

步骤

证据保管链

访谈

可被法庭接受的证据

取证原则

澳大利亚计算机取证通用指导原则

证据分析方式

需求

计算机犯罪

第一响应人

犯罪调查三要素

Continuous Monitoring as a Service (CMaaS)持续监控及服务，由美国政府所驱动，关注网络防御并内置于基础设施中提供所需服务

Egress Monitoring 出口监测

设计的持续监控系统符合机构需求；

实施持续监控系统并保护机构关键设施；

具体可关注“第六章 安全评估和测试”中“收集安全数据”部分

供给者实施几个小型的犯罪，希望他们结合起来的较大犯罪不会引起人们的注意

对现有数据的更改

捕捉计算机之间发送的密码

攻击者不想让其他人知道自己的真实地址，从而改变数据包IP地址，使其指向另一个地址。

翻看其他人的垃圾箱，以寻找丢弃的文件、信息和其他可用来对该人或公司不利的珍贵物品。

一种被动攻击，用于窃听通信的工具可以是无线电话扫描器、无线电接收器、麦克风接收器、录音器、网络嗅探器等。

是指有人怀着用一个类似域名损害公司或者进行敲诈勒索的目标，购买了一个域名。

Soft-copy media

hard-copy media

Media containing sensitive or confidential information should be encrypted

data should be protected through the use of encryption to mitigate a compromise.

product software

Original copies and installed versions of system and application

问题

解决建议

Backups and archives are two different types of methods used to store information

Recovery from backups

Cloud storage

Virtual storage

记录和信息管理程序 (RIM)

保护硬拷贝记录

应小心清除残留数据

简单删除或格式化

软件清除工具

剩磁

消磁

物理销毁

Malicious activity on the part of malware and malicious users can cause the loss of a significant amount of information.

Interruptions in service can also be extremely disruptive to normal business operations

Theft is also a common threat.

protections on key systems as well as provide appropriate procedures

基于网络入侵检测系统（NIDS）

基于主机入侵检测系统 (HIDS)

基于应用IDS

基于特征IDS

基于规则IDS

基于异常IDS

如果IDS检测到入侵

早期版本的IDS与防火墙集成，指导防火墙对可以流量实施拟定规则

在启动规则的过程中可能会影响正常业务

IDS基本组件

确定谁能收到信息

确定接收的告警类型以及信息的紧急程度

IDS为企业广泛采用的安全技术之一

有效的IDS管理

一列被列为“好的”发送者的邮件地址或IP地址等

一列“坏”的发送者

我不知道你是谁，在我接受之前让你的邮件跳过额外的步骤“

灰名单会告诉邮件发送服务器快速的重新发送新的邮件

These include the Spamhaus Block List (SBL), the Exploits Block List (XBL), the Policy Block List (PBL), and the Domain Block List (DBL). In addition, Spamhaus maintains The Register of Known Spam Operations (ROKSO) database, which collates information and evidence on known professional spam operations that have been terminated by a minimum of 3 Internet Service Providers for spam offenses.18

非营利组织

追踪互联网垃圾邮件的运营和源头

为互联网提供实时有效的垃圾邮件保护

a suite of technologies aimed at stemming the loss of sensitiveinformation that occurs in the enterprise.

瞄准防止企业敏感信息泄露的一套技术

1. Locate and catalog sensitive information stored throughout the enterprise. 2. Monitor and control the movement of sensitive information across enterprise networks. 3. Monitor and control the movement of sensitive information on end-user systems.

将存储在整个企业的敏感信息进行定位和编程目录；

对整个企业敏感信息的移动进行监控和控制；

对终端用户系统敏感信息的移动进行监控和控制；

Enterprises are often unaware of all of the types and locations of information they possess.

组织常没有认识到他们处理的信息的类型和位置，购买DLP方案时首先要了解敏感数据类型和系统间以及系统到用户的数据流；

分类Classifications可以包括属性categories，如隐私数据、财务数据和知识产权等；

一旦对数据进行适当的识别和分类，更深的分析流程来帮助进行主要数据和关键数据路径的定位；

需要关注企业数据的生命周期，理解数据的处理、维护、存储和处置等能揭示更深的数据存储和传输路径；

部署DLP的优点

寻找并识别具体文件类型，识别和记录信息存储的位置；

找到后，DLP打开并识别文件的内容；

DLP使用爬虫系统；crawlers

DLP solution

为监测企业网络数据移动，DLP方案使用特别的网络设备或内置技术有选择的捕获和分析网络流量；

深度文件检测（ deep packet inspection (DPI)）技术，作为DLP的核心能力，DPI能够越过基本的包头信息阅读数据包载荷内容

DPI技术允许DLP检测传输中的数据并确定内容、来源和目的地；

DLP有能力应对加密的数据（如具有加密秘钥），或者再检测前进行解密并在检测完成后继续加密；

监控终端用户在他们的工作站上所采取数据移动行为

使用Agent完成任务

策略建立和管理Policy Creation and Management

集成目录服务Directory Services Integration

工作流管理Workflow Management

备份和恢复Backup and Restore

报告Reporting

cover_medium + hidden_data + stego_key = stego_medium In this context, the cover_medium is the file in which you will hide the hidden_data, which may also be encrypted using the stego_key. The resultant file is the stego_medium (which will, of course, be the same type of file as the cover_medium). The cover_medium (and, thus, the stego_medium) are typically image or audio files.

watermark

隐写术是一种信息隐藏技术，入将大量信息隐藏在图片和视频文件中；

信息隐藏包括隐蔽通道、在Web页面隐藏文本、隐藏可见文件、空密码；

Dynamic application security testing (DAST)

作为诱饵服务器收集攻击者或入侵者进行系统的相关信息

IDS的变体

常见工具

软件虚拟化技术

让程序和进程在隔离的环境中运行

限制访问系统其他文件和系统

一项取代传统基于签名防病毒

恶意软件会使用各种技术规避检测

Hooks

environmental checks环境监测

Anti-Malware Testing Standards Organization (AMTSO防恶意软件测试标准组织

Windows

Andorid

Surviving Site存活站点

Self-Service自助服务

Internal Arrangement 内部安排

Reciprocal Agreements/Mutual Aid Agreements 互惠协定/互助协定

Dedicated Alternate Sites 专用备用站点

Work from Home 在家上班

External Suppliers 外部供应商

No Arrangement 没有布置的

成本效益分析 (CBA)

Some organizations have begun tiering data based on its importance to the organization and frequency of use. The more time sensitive data is replicated offsite either synchronously or asynchronously to ensure its availability and its currency.

全备

增量备份

差异备份

The applications are split between two geographically dispersed data centers and either load balanced between the two centers or hot swapped between the two centers. The surviving data center must have enough head room to carry the full production load in either case.

使用该战略使得应用不能接受宕机影响组织

优势

缺点

Internal Hot Site 内部热站

External Hot Site外部热站

优势

缺点

A leased or rented facility that is usually partially configured with some equipment but not the actual computers. It will generally have all the cooling, cabling, and networks in place to accommodate the recovery, but the actual servers, mainframe, etc. equipment are delivered to the site at the time of disaster.

部分配置有一些设备但不是真实的计算机的租赁设施

冷站就是一个壳或空数据中心，且地板上没有任何技术设施

优势

缺点

是内部配置适当电信装备和IT设备的可移动拖车或标准的集装箱， 可以被机动拖放和安置在所需的备用场所，提供关键的应用服务，如电话交换功能等。

优点

缺点

如果组织的设施覆盖全国或全世界可以使用此解决方案

具有足够的带宽和延迟

可以认为组织内部的“互惠协议”

组织间用来分享宕机风险

在灾难发生时，每个组织承诺承担彼此的数据和处理任务

问题

符合企业的成本效益需求

优点

缺点

可信路径

Fail-Safe故障保障

Fail-Secure 故障财物安全

设备备份

电源备份

驱动器和数据存储

备份和恢复系统

人员编制弹性

the board and senior management

包括使用BIA和风险评估

识别关键角色和职责，建立组织业务连续性测试的最小要求,包括测试频率、范围和结果报告的基线要求

测试策略的变化依赖于组织的范围和风险场景

处理组织及其服务提供商的测试问题

内部系统的测试策略应在系统和数据文件被测试时包含所涉及的人员

集中的号码

帮助服务台

技术操作中心

物理安全人员

监控人员

建立紧急联系名单

评估团队

建立通信渠道

不要忘记一些服务的不可用

由组织中的高级管理人员组成

不需要做作为初始响应的部分

为组织和业务的恢复负有全责

事件发生后位于指令中心

不需要管理日常运维

高管需要响应和协助需要他们指导的问题的解决

关注战略响应

Crisis Managemen t vs. Crisis Leadership

直接向指令中心汇报

具有监控灾难恢复团队,制定恢复和复原流程的职责

向高管汇报事件状态

制定支持恢复的决策

主要职能

检索异地记载和异地存储的恢复信息

向异地站点报告

按优先级顺序执行恢复过程

按需向指挥中心沟通恢复情况

识别问题,并报告给管理团队以获取解决方案

建立恢复团队支持7*24小时全天候的班次

建立关键业务用户和人员联络

修复更换设备和必要的软件来恢复正常运营

在紧急状况中用于通信和决策的中心

在灾难中，用于响应灾难配备应急响应文档以及其他所需资源

也包含处理财物问题的程序

组织具有多个位置,则需要为每个业务站点准备一个计划

站点中有哪些关键业务或技术

为其准备恰当的恢复策略

谁是决策者

如果不能回到建筑物内,人们应该去哪

宣告灾难发生的流程

备份站点的位置

到达备份站点的差旅方式

备份站点的工位分配

备份站点附近的酒店\交通服务和后勤服务

很多计划的问题就是人力资源问题

灾难能够极大的影响到人员

支持团队成员的水平将由灾难本身的性质明确界定

将行政支持作为恢复团队的一部分

在紧急状况中由责任管理团队直接联系应急联系名单中的成员

描述组织如何联系剩余成员

建立应急信息线

Employees and their families

Contractors and business partners

Q Facility and Site Managers

Q Staff Managers (HR, IT, etc.)

Q Senior Managers; Board of Directors

Institutional investors and shareholders

Insurance representatives

Suppliers and Distributors

Customers

Goverment Regulators and Politicians

Competitors

Unions

Communities

Industry activist groups

Internet users or bloggers

Media representatives

Employees may be worried about their jobs, where stockholders may be more worried about the impact to the company stock, and customers just want to know that their product or service will be there when they need it.

在灾难恢复过程中，每个员工应向客户或厂商说的状况是一致的

企业应向所有利益相关者提供恢复状态的最新信息

Non-Incident 非事件

Incident 事件

Severe Incident 严重事件

在采取行动前拍照

For example, an organization may be located in alternate sites for 15 months following the events of an earthquake and for two months following the events of a hurricane. After 9 weeks in the earthquake alternate site, an interim transition plan was executed where employees were distributed between two interim sites while the primary site was repaired and built out.

与厂商协商提供设备构建或复原数据中心

知道危机管理

在灾难恢复中不是执行恢复而是领导组织回归正常

知道执行恢复的程序

以及他们要去的后勤设施

撤离计划

将一部分BCP计划放到新人培训中

■ Expectations for business lines and support functions to demonstrate the achievement of business continuity test objectives consistent with the BIA and risk assessment; 业务线和支持职能部门展示业务连续性性测试目标获得的期望，符合BIA和风险评估

■ A description of the depth and breadth of testing to be accomplished; 完成测试的深度和广度的描述

■ The involvement of staff, technology, and facilities; 员工、技术和设施的范畴

■ Expectations for testing internal and external interdependencies; 内外依存度测试期望

■ An evaluation of the reasonableness of assumptions used in developing the testing strategy. 评价在开发测试策略中臆测的合理性

define what functions, systems, or processes are going to be tested and what will constitute a successful test

BCP每年至少测试一次

测试目标刚开始可以简单逐渐增加复杂度、参与级别、职能以及物理位置

测试不要危及正常业务运行

测试展示在模拟危机下各种管理和响应能力，逐渐增加更多的资源和参与者

揭示不恰当之处以便修正测试程序

考虑偏离测试脚本插入意外事件，比如关键个人或服务的损失

包括足量所有类型交易确保恢复设施适当的能力和功能

基于预定的测试范围和目标

包含测试计划评审程序

包含各种测试场景和方法的开发

测试计划

由高层制定

角色职责，频率、范围和报告结果

关注测试业务线的运行

关注技术部分连续性的测试

确保来自所有领域的关键人员熟悉BCP

确保计划反应组织从灾难恢复过来的能力

■ Attendance of business unit management representatives and employees who play a critical role in the BCP process; ■ Discussion about each person’s responsibilities as defined by the BCP; ■ Individual and team training, which includes a walk-through of the step-bystep procedures outlined in the BCP; and ■ Clarification and highlighting of critical plan elements, as well as problems noted during testing.

会议室联系，低成本

■ A full test of the BCP, which involves all employees; ■ Demonstration of emergency management capabilities of several groups practicing a series of interactive functions, such as direction, control, assessment, operations, and planning; ■ Testing medical response and warning procedures; ■ Actual or simulated response to alternate locations or facilities using actual communications capabilities; ■ Mobilization of personnel and resources at varied geographical sites, including evacuation drills in which employees test the evacuation route and procedures for personnel accountability; and ■ Varying degrees of actual, as opposed to simulated, notification and resource mobilization in which parallel processing is performed and transactions are compared to production results.

尽可能模拟真实的场景

不能影响业务

连续性计划方案是正在进行的流程

所有定义的任务都要与时俱进与现有环境保持一致

必须要有年度要求

emergency management organization (EMO) 应急管理组织

团队的职责

The organizational emergency operations center (EOC)

The organizational contingency planning group

business continuity planners

控制对物理设施的访问，设施防护的第一道屏障

深度防御 defense-in-depth

阻止-检测-延迟-响应deter-detect - delay-respond

■ Emergency generator, including fuel systems, day tank, fire sprinkler, and water supply应急发电机

■ Fuel storage燃料库

■ Telephone distribution and main switchgear

■ Fire pumps 消防泵

■ Building control centers楼宇控制中心

■ Uninterrupted power supply (UPS) systems controlling critical functions

■ HVAC systems if critical to building operation

■ Elevator machinery and controls 起重机械和控制

■ Shafts for stairs, elevators, and utilities 楼梯井、电梯和工具

■ Critical distribution feeders for emergency power

Barriers can be comprised of natural or manufactured elements，如山、河、绿化带

is designated to impede or deny access.

objective

fences are a perimeter identifier that is designed and installed to keep intruders out.

the chain linked fence

largely a psychological deterrent

a boundary marker

Gates exist to facilitate and control access.

Walls serve the same purpose as fences

walls ought to be 7 feet high with 3 to 4 strands of barbed wire on top

Active infrared sensors

Passive infrared sensors

two configurations

bistatic sensor

Monostatic microwave sensors



These systems use a coaxial cable woven through the fabric of the fence

The coaxial cable transmits an electric field

Time Domain Reflectometry (TDR) systems send induced radio frequency (RF) signals down a cable that is attached to the fence fabric.

Intruders climbing or flexing a fence create a signal path flaw that can be converted to an alarm signal



is sophisticated software analysis of the camera images.

CCTV camera systems are increasingly being used as intrusion detection systems.

使用复杂算法允许CCTV系统来检测入侵者

Isolation zones and all exterior areas within the protected area shall be provided with illumination sufficient for the monitoring and observation requirements, but not less than 0.2 fc measured horizontally at ground level. 0.5 fc is acceptable for side landscapes and roadways.

Continuous lighting 连续照明

Standby lighting 备用照明

Movable lighting 流动灯光

Emergency lighting 应急灯光

Fluorescent lights 荧光灯

Mercury vopor lights 汞蒸气灯

Sodium vopor lights 钠蒸汽灯

Quartz lamps 石英灯

interior lighting levels

exterior lighting requirements

Lights used for CCTV monitoring generally require at least 1 to 2 fc of illumination, whereas the lighting needed for safety considerations in exterior areas such as parking lots or garages is substantially greater (at least 5 fc).

Most monochrome CCTV

consist of a magnetically sensitive strip fused onto the surface of a PVC material, like a credit card. 

在PVC材料上附有敏感词条，如信用卡

Proximity cards (prox cards) use embedded antenna wires connected to a chip within the card. The chip is encoded with the unique card identification. Distances at which proximity cards can be read vary by the manufacturer and installation. Readers can require the card to be placed within a fraction of an inch from the reader to six inches away. This will then authenticate the card and will release the magnetic lock on the door.

内置天线，天线挎包姐着具有识别码的芯片，阅读器可通过磁场来阅读芯片的内容

Smart cards are credential cards with a microchip embedded in them

含有微处理芯片的IC卡，具有一定的数据处理能力

带有PIN码的按键或生物识别措施

Surveillance监督

Assessment 评估

Deterrence 威慑

Evidentiary Archives证据归档

Color cameras offer more information,

Outdoor camera户外摄像机