security160administration(编辑修改稿)

security160administration(编辑修改稿)内容摘要：

ng on the information system and the severity of the breach, the results could vary from embarrassment, to loss of revenue, to loss of life. Security can be broken up into six requirements, or tes. All of the tes are equally important for helping to ensure the confidentiality, integrity, and availability of data. The tes are listed as follows: Identification. Identification is concerned with user names and how users identify themselves to a puter system. Authentication. Authentication is concerned with passwords, smart cards, biometrics, and so forth. Authentication is how users demonstrate to the system that they are who they claim to be. Access control (also called authorization). Access control is concerned with access and privileges granted to users so that they may perform certain functions on a puter system. Confidentiality. Confidentiality is concerned with encryption. Confidentiality mechanisms help ensure that only authorized people can see data stored on or traveling across the work. Integrity. Integrity is concerned with checksums and digital signatures. Integrity mechanisms help ensure that data is not garbled, lost, or changed when traveling across the work. Nonrepudiation. Nonrepudiation is a means of providing proof of data transmission or receipt so that the occurrence of a transaction cannot later be denied. Another very important aspect of security is auditing. Audit logs may give the only indication that a security breach has occurred. Or, if the breach is discovered some other way, proper audit settings generate an audit log that can help administrators pinpoint the location and the perpetrator of the breach. Goals and Objectives The primary goals and objectives of security administration are to ensure:  Data confidentiality. No one should be able to view an anization’s data without authorization.  Data integrity. All authorized users should feel confident that the data presented to them is accurate and not improperly modified.  Data availability. Authorized users should be able to access the data they need, when they need it. 6 Security Administration Scope Security administration is concerned with those aspects of security necessary for helping to create and maintain a safer puting environment:  Personnel security. Determining whether employees are properly cleared to handle the data that they access and that adequate checks have been pleted before employees are granted access to a system.  Application security. Determining whether businesscritical applications are secure from unauthorized access. This includes a means of identifying and authorizing users of the system.  Middleware security. Middleware includes messages that pass between parts of a service and data that is stored in databases. These must be secured to ensure that data is not viewed, garbled, or modified in any way.  Operating system security. The operating system controls access to hardware and provides access to higherlevel services such as databases. If the operating system is not secure, then all the systems and services dependent on the operating system can be promised.  Hardware security. Security of the puting hardware, storage media, and print output must be ensured. More than ever, hardware such as portable puters (for example, laptops or notebooks), backup tapes, and smart cards contain or provide access to business systems. These assets must be protected both within and without the corporate environment.  Network security. The work carries system data in electronic form. A proper security system protects that data from unauthorized viewing and tampering.  Facility security. Ensuring that physical locks and alarms are in place to keep the puting system safe and that access to the facility is limited to properly identified and authorized personnel. For example, it is useless to secure data electronically if an intruder can simply open an unlocked door and steal the puter.  Egress security. Anything that es into or out of the facility needs to be secured. This includes but is not limited to mail, electricity, and trash. The loss or promise of these systems should be assessed to determine the impact on critical business systems. Key Definitions Access control. Access and privileges granted to users so that they can perform certain authorized functions on a system. Authentication. The method by which users prove to the system that they are who they claim to be. Authentication is used in passwords, smart cards, biometrics, and so forth. Authorization. A process that verifies that the user has the correct rights or permissions to access a resource in a domain. Confidentiality. A ponent of encryption. Confidentiality mechanisms help to ensure that only authorized people can see data stored on or traveling across the work. Digital certificate. A digital certificate is a data structure that contains the public key of a public/private key pair and identification information and is signed by the private key of the issuing certification authority (CA). The certificate binds the public key to the security principal (that is, users and puters). The information included includes the name of the owner of the certificate, the uses of the certificate (authentication, data encryption, smart card logon, and so on), and the origin of the certificate (which CA or CA hierarchy Service Management Function 7 created it). The certificate is digitally signed by the CA’s private key. To check the authenticity of the certificate, the public key of the CA can be used. Identification. Any mechanism used to uniquely identify a user or a set of privileges on a system. Identification can be likened to a key. Access control can be likened to a lock. Both the key and lock must match, or ―fit,‖ in order to gain access. Integrity. Data integrity m。