微软安全级别略策.pptVIP

微软安全级别策略 朱晓文 lukezhu@ 微软（中国）有限公司 Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile . Copyright 2004-2011 Aspose Pty Ltd. 微软风险管理流程 已过期的风险 风险陈述 文档 Top 10 3. 计划 5. 控制 2. 分析 1. 确认 风险陈述 4. 跟踪 微软IT操作框架(Microsoft Operation Framework) Condition-consequence risk statements help to clearly articulate risk Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile . Copyright 2004-2011 Aspose Pty Ltd. 为了得到每个风险可能造成的危害的量化结果 基于可能性(Probability)和影响(Impact) 可能性：该风险发生的几率 影响：该风险发生后的损失或影响 probability x impact = exposure Example: 75% x $500,000 = $375,000 目的是可以比较各风险，以得到风险处理的优先级 计算风险的危害性(Exposure) Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile . Copyright 2004-2011 Aspose Pty Ltd. 风险管理策略 减少风险 Example: Minimize the probability (likelihood of the condition) Example: Minimize the impact (level of the consequence) 风险转移 Example: Move to different hardware Example: Subcontract to a third party 风险规避 Example: Don’t undertake certain projects Example: Rely on proven, not cutting-edge, technology Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile . Copyright 2004-2011 Aspose Pty Ltd. 微软安全响应中心 位于Redmond的160人的微软安全响应中心(MSRC – Microsoft Security Response Center) 目标：帮助微软用户安全的使用微软系统和网络 既是管理员又是黑客 Subcontract to 3rd party (Foundstone, ISS…) 制定严格的安全规范和操作手则 风险评估 Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile . Copyright 2004-2011 Aspose Pty Ltd. 微软安全通告的级别 微软安全通告级别 Critical 紧急——该缺陷可能导致无需用户操作的互联网蠕虫病毒的传播 Important 重要——该缺陷可能导致用户数据的机密性、完整性、或有效性受到伤害，或导致相关处理流程资源的完整性或有效性受到伤害 Moderate. Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation Low. A vulnerability whose exploitation is extremely difficult, or whose impact is minimal. 微软安全策略的目标 开发安全的产品(Get Secure) 使用户能方便的保持安全(Stay Secure) Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile . Copyright 2004-2011 Aspose Pty Ltd. 微软建议的安全流程 设计与开发信息安全策略 制定详细的信息安全规范 信息安全