Скачать 0.93 Mb.
The approach used to develop this security profile is shown in Error: Reference source not found and summarized as follows
Figure – Overview of Security Profile Development Approach
As shown in Figure , each step in the approach builds on the results of the preceding steps.
The primary audiences of this document are organizations that are developing or implementing solutions requiring or providing automated distribution management functionality. This document is written at the normal level of utility security experience for system owners, system implementers, and security engineers. The user is assumed to be experienced at information asset risk estimation. The user is further assumed to be knowledgeable in applying security requirements and guidance. A utility much evaluate the controls, as well as balancing the cost of security against the operational impact and possibility of an operational impact.
This profile presents the superset of controls that should be implemented by DM components and systems. This section discusses how the document should be used by various stakeholders. The document is designed to be used in whole or in-part. The profile development approach guides the reader through the process developed by the ASAP-SG team for determining controls required for given failures (impacts) for roles and the functionality they implement (use cases), thereby providing traceability and justification for each of the controls selected.
The utility may use this document to help achieve several security objectives for their organization through activities such as:
In some cases, a utility will not make use of all functionality described in the included use cases, which may obviate the requirements for certain controls. The tables within the document can be used to determine security controls needed for a utility’s environment and provide traceability and justification for the design requirements and control selection. In other cases, an organization may identify an alternative (mitigating) control that makes a required control unnecessary, but the utility should be sure it addresses all the same failures and perform a risk analysis to confirm the adequacy of the alternative control.
Vendors may use this document to incorporate security controls needed for the development of DM products and solutions. This document provides enough requirement detail to allow a vendor to begin design activities, but avoids prescription that would thwart innovation or drive toward specific implementations. The reference architecture and use cases offer tools for understanding DM applications in an abstract sense.
Технологии информационные. Методы обеспечения защиты. Системы управления информации. Требования
Семинар по теме Управление рисками и безопасностью информационных систем Information Security and Risk Management