《国内外信息安全学科发展》由会员分享,可在线阅读,更多相关《国内外信息安全学科发展(50页珍藏版)》请在金锄头文库上搜索。
1、国外信息安全教学情况调研2007.11.171 1报告提纲引言国外信息安全相关课程设置情况总体情况有代表性的大学办学特点国外信息安全知识体系相关情况NSTISSI(NationalSecurityTelecommunicationsandInformationSystemSecurityI)ISC(2)的信息安全共同知识体系CBK2 2引言2002年设立信息安全专业的课程调研2004年清华大学出版社信息安全知识点总结2007年教指委信息安全教学规范调研方式:INTERNET调研范围:美英等知名高校20余所所发布的相关课程教学大纲、教学内容等3 3调研范围PurdueUniversityCorn
2、ellUniversityStanfordUniversityMITCMUOxfordUniversityNewYorkUniversityRiceUniversityFloridaStateUniversityPrincetonUniversityUCDavisUniversityofLondonGeorgeMasonUniversityOslouniversity,NorwayFloridaAtlanticUniversityGeorgiaInstituteofTechnpologyPortlandStateUniversity等学校4 4报告提纲引言国外信息安全相关课程设置情况总体情况有
3、代表性的大学国外信息安全知识体系相关情况NSTISSI(NationalSecurityTelecommunicationsandInformationSystemSecurityI)ISC(2)的信息安全共同知识体系CBK办学特点5 5总体情况:总体情况:1995年,美国国家安全局NationalSecurityAgency委任CMU成立信息安全学术人才中心,提高高校信息安全人才培养能力至2003年9月,有50多所教育机构被认定为这种中心,包括44所高等院校和4所国防院校,如CMU,GeogiaInstituteofTechnology,FlaridaStateUniversity,Purd
4、ueUniversity,GeorgeMasonUniversity4所学校设立信息安全专业本科专业,13所学校设立以信息安全为主的本科专业;在10所学校设立信息安全硕士专业,30所学校设立信息安全研究方向;半数以上学校开设课程与NSTISSI的CNSS4011水平相当,20所学校开展了NSTISSI的CNSS4011-4-15认证6 6有代表性的大学Purdueuniversity:信息安全渗透到很多已有学科UniversityofLondon:10门课程,PROJECTFloridaStateUniversity:始于2000,高质量OxfordUniversity:计算机安全课程体系CC
5、-getech:2个选修课系列7 7Purdue University在研究生阶段设置信息安全专业DepartmentsacrossPurdueofferclassesthataddressinformationsecurity,privacy,andriskmanagementtopicsfromvariousperspectives.InformationSecurityCoursesComputerSciences,ComputerandInformationTechnology,HomelandSecurity,IndustrialTechnology,Management,Compu
6、ter&InformationTechnology(IUPUI),ComputerInformationSystems&InformationTechnology(PurdueCalumet);8 8Purdue UniversityInformation Security Courses Computer Sciences CS355IntrotoCryptographyCS426ComputerSecurityCS471IntrotoArtificialIntelligenceCS478IntroductiontoBioinformaticsCS490SSecureNetworkProgr
7、ammingCS526InformationSecurityCS555CryptographyCS591SInformationSecurityandCybercrimeSeminarCS626AdvancedInformationAssuranceCS655AdvancedCryptologyCS690SPrivacyOnline9 9Purdue UniversityComputer and Information Technology C&IT227IntroductiontoBioinformaticsC&IT420BasicCyberForensicsC&IT455NetworkSe
8、curityC&IT499CCyberForensics:AdvancedTechnicalIssuesC&IT499DSmallScaleDigitalDeviceForensicsC&IT499FIntroductiontoComputerForensicsC&IT499NWirelessNetworkSecurityandManagementC&IT528InformationSecurityRiskAssessmentC&IT556IntrotoCyberForensicsC&IT581AAdvancedTopicsinCyberforensicsC&IT581BBiometricDa
9、taAnalysisC&IT581CAppliedCryptographyC&IT581FExpertWitness&ScientificTestimonyC&IT581SInformationSecurityManagementC&IT581VSpecialTopicsinCyberforensicsC&IT581ZWebServicesSecurity1010Purdue UniversityComputerSecurity:Asurveyofthefundamentalsofinformationsecurity.Risksandvulnerabilities,policyformati
10、on,controlsandprotectionmethods,databasesecurity,encryption,authenticationtechnologies,host-basedandnetwork-basedsecurityissues,personnelandphysicalsecurityissues,issuesoflawandprivacy.InformationSecurity:Basicnotionsofconfidentiality,integrity,availability;authenticationmodels;protectionmodels;secu
11、ritykernels;secureprogramming;audit;intrusiondetectionandresponse;operationalsecurityissues;physicalsecurityissues;personnelsecurity;policyformationandenforcement;accesscontrols;informationflow;legalandsocialissues;identificationandauthenticationinlocalanddistributedsystems;classificationandtrustmod
12、eling;andriskassessment1111Purdue UniversityCommunicationsSecurityAndNetworkControls:This course will provide students with an overview of the field of information security and assurance. Students will explore current encryption, hardware, software, and managerial controls needed to operate networks
13、 and computer systems in a safe and secure mannerAdvancedNetworkSecurity:Thiscourseprovidesstudentswiththein-depthstudyandpracticeofadvancedconceptsinappliedsystemsandnetworkingsecurity,includingsecuritypolicies,accesscontrols,IPsecurity,authenticationmechanismsandintrusiondetectionandprotection.121
14、2Purdue UniversitySystemsAssurance:Thiscoursecoverstheimplementationofsystemsassurancewithcomputingsystems.Topicsincludeconfidentiality,integrity,authentication,non-repudiation,intrusiondetection,physicalsecurity,andencryption.ExtensivelaboratoryexercisesareassignedDisasterRecoveryAndPlanning:Thisco
15、ursecoversriskmanagementandbusinesscontinuity.Topicsincludedisasterrecoverystrategies,mitigationstrategies,riskanalysisanddevelopmentofcontingencyplansforunexpectedoutagesandcomponentfailures.Extensivelaboratoryexercisesareassigned.1313Purdue UniversityInformationAssuranceRiskAssessment:Thiscourseco
16、versindustryandgovernmentrequirementsandguidelinesforinformationassuranceandauditingofcomputingsystems.TopicsincluderiskassessmentandimplementationofstandardizedrequirementsandguidelinesSoftwareAssurance:Thiscoursecoversdefensiveprogrammingtechniques,boundsanalysis,errorhandling,advancedtestingtechn
17、iques,detailedcodeauditing,andsoftwarespecificationinatrustedassuredenvironment.Extensivelaboratoryexercisesareassigned.1414Purdue UniversityComputerForensics:Thiscoursecoversthetechniquesusedintheforensicanalysisofcomputerizedsystemsforgatheringevidencetodetailhowasystemhasbeenexploitedorused.Exten
18、sivelaboratoryexercisesareassignedSecure Programming:Shellandenvironment,Bufferoverflows,Integeroverflows,Formatstrings,Meta-charactervulnerabilities(codeinjection)andInputValidation,WebApplicationissues(includingcross-sitescriptingvulnerabilities),Raceconditions,issues,Randomness1515Florida State U
19、niversityDepartmentofComputerScienceSecurityandAssuranceinInformationTechnologyLabSinceMay2000FSUisaNSACenterofExcellenceinInformationSecurityEducationandFSUattendedareceptionattheWhiteHouseinhonorofthesecentersThecoursesininformationsecurityinComputerScienceatFloridaStateUniversitysatisfytheNationa
20、lSecurityTelecommunicationsandInformationSystemsSecurity(NSTISSC)trainingstandardforInformationSecuritySpecialists1616Florida State UniversityNetworkSecurityClass1.Fundamentalsofnetworksecurity.Class2and3.Securechannelsviaencryption.Class4and5.Blockciphersandencryptionmodes.Class6.MessageAuthenticat
21、ionCodes.Class7.Streamciphers.Class8.Authenticationmechanisms.Class9.Thebirthdayparadoxandapplications.Class10.Kerberos.Classes11,12,13and14.Publickeycryptography.Class15.Publickeyinfrastructure.Class16.Examreview.Class17.MidtermClass18.RSAscheme.Class19.SSLscheme.Class20.IPSECscheme.Class21.IPSEC-I
22、KEscheme.Classes22,23,and24.Studentpresentations.Class25.Internetprotocolsreview,andintroductiontopacketfiltering.Class26.BuildingInternetfirewalls.Class27.Intrusiondetectionsystems.Class28.Finalreview.1717University of London开设了10门课程,包括:SecuritymanagementAnintroductiontocryptographyandsecuritymecha
23、nismsNetworksecurityComputersecuritySecureelectroniccommerceandotherapplicationsStandardsandevaluationcriteriaAdvancedcryptographyDatabasesecurityInformationcrimeProjec1818University of LondonSecurity management 690IC01 :Thismodulewillemphasisetheneedforgoodsecuritymanagement.Itsaimsaretoidentifythe
24、problemsassociatedwithsecuritymanagementandtoshowhowvarious(major)organisationssolvethoseproblems.Anintroductiontocryptographyandsecuritymechanisms690IC02:Theapproachofthismoduleisnon-technical.Themainobjectiveistointroducethestudentstothemaintypesofcryptographicmechanism,tothesecurityserviceswhicht
25、heycanprovide,andtotheirmanagement,includingkeymanagement.Themathematicalcontentofthismoduleisminimal.Supportmaterialsfortheelementarymathematicsneededforthismodulewillbeprovided.1919University of LondonNetwork security 690IC03 :Thismoduleisconcernedwiththeprotectionofdatatransferredovercommercialin
26、formationnetworks,includingcomputerandtelecommunicationsnetworks.Afteraninitialbriefstudyofcurrentnetworkingconcepts,avarietyofgenericsecuritytechnologiesrelevanttonetworksarestudied,includinguseridentificationtechniques,authenticationprotocolsandkeydistributionmechanisms.Thisleadsnaturallytoconside
27、rationofsecuritysolutionsforavarietyoftypesofpracticalnetworks,includingLANs,WANs,proprietarycomputernetworks,mobilenetworksandelectronicmail.2020University of LondonComputer security 690IC04 :Thiscoursedealswiththemoretechnicalmeansofmakingacomputingsystemsecure.Thisprocessstartswithdefiningtheprop
28、ersecurityrequirements,whichareusuallystatedasasecuritypolicy.Securitymodelsformalisethosepoliciesandmayserveasareferencetocheckthecorrectnessofanimplementation.Themainsecurityfeaturesandmechanismsinoperatingsystemswillbeexaminedaswellassecurity-relatedissuesofcomputerarchitecture.Specificwell-known
29、operatingsystemsarethenstudiedascasestudies.Otherareasinvestigatedincludethesecurityofmiddleware,softwareprotectionandwebsecurity.2121University of LondonSecure electronic commerce and other applications 690OPT5 :Thismoduleaimstoputtheroleofsecurityintoperspectiveanddemonstratehowitformspartofasecur
30、itysystemwithinanapplication.Theaimistoillustrate,usuallybytheuseofcasestudies,howaparticularsituationmaymakecertainaspectsofsecurityimportantandhowanentiresystemmightfittogether.Standards and evaluation criteria 690OPT7 :Overthelastfewyears,avarietyofsecurity-relatedstandardshavebeenproducedbyinter
31、nationalstandardsbodies.Thismoduleexaminessomeofthemostimportantofthesestandardsindetail.Indoingsoitillustrateshowinternationalstandardsnowcovermanyaspectsoftheanalysisanddesignofsecuresystems.Thematerialcoveredalsoputscertainotheraspectsofthedegreecourseinamorestructuredsetting.Themodulealsocoverse
32、xistingsecurityevaluationcriteria,thecurrentprocessforevaluatingsecuresystems,andguidelinesformanagingITsecurity2222University of LondonAdvanced cryptography 690OPT8 :Thismodulefollowsonfromtheintroductorycryptographymodule.Inthatmodulecryptographicalgorithmswereintroducedaccordingtothepropertiesthe
33、ypossessedandhowtheymightfitintoalargersecurityarchitecture.Inthisunitwelookinsidesomeofthemostpopularandwidelydeployedalgorithmsandwehighlightdesignandcryptanalytictrendsoverthepasttwentyyears.Thiscourseis,bynecessity,somewhatmathematicalandsomebasicmathematicaltechniqueswillbeused.However,despitet
34、hisrelianceonmathematicaltechniques,theemphasisofthemoduleisonunderstandingthemorepracticalaspectsoftheperformanceandsecurityofsomeofthemostwidelyusedcryptographicalgorithms.2323University of LondonDatabase security 690OPT9:Thismodulecoversseveralaspectsofdatabasesecurityandtherelatedsubjectofconcur
35、rencycontrolindistributeddatabases.Wewilldiscussmethodsforconcurrencycontrolandfailurerecoveryindistributeddatabasesandtheinteractionbetweenthosemethodsandsecurityrequirements.Wewillalsoexaminehowaccesscontrolpoliciescanbeadaptedtorelationalandobject-orienteddatabases.2424University of LondonInforma
36、tion crime 690OPT10 :Thismodulecomplementsothermodulesbyexaminingthesubjectfromthecriminalangleandpresentingastudyofcomputercrimeandthecomputercriminal.Wewilldiscussitshistory,causes,developmentandrepressionthroughstudiesofsurveys,typesofcrime,legalmeasures,andsystemandhumanvulnerabilities.Wewillals
37、oexaminetheeffectsofcomputercrimethroughtheexperiencesofvictimsandlawenforcementandlookatthemotivesandattitudesofhackersandothercomputercriminals.2525University of LondonProject 6900011 :Theprojectisamajorindividualpieceofwork.Itcanbeofacademicnatureandaimatacquiringanddemonstratingunderstandingandt
38、heabilitytoreasonaboutsomespecificareaofInformationSecurity.Alternatively,theprojectworkmaydocumenttheabilitytodealwithapracticalaspectofInformationSecurity2626StanfordSecurityLabintheComputerScienceDepartmentCourses:CS155:ComputerandNetworkSecurity.CS255:IntroductiontoCryptographyandComputerSecurit
39、y.CS259:SecurityAnalysisofNetworkProtocolsCS355:TopicsinCryptography.CS99J:Sophomoreseminar:Computersecurityandprivacy.CS55N:Freshmanseminar:TenIdeasinComputerSecurityandCryptography.(讲座)2727OxfordComputer Security:融入计算机系统的设:融入计算机系统的设计开发,形成实践能力计开发,形成实践能力2828OxfordSecurity Principles (SPR)Thiscoursec
40、ombinesatreatmentofthefundamentalprinciplesofcryptographyandsecurityprotocolswithapracticaltreatmentofcurrentbestpractice.Itexplainstheneedforcomputersecurity,andthescopeoftheavailabletechnicalsolutions;presentstechniquesforevaluatingsecuritysolutions;andprovidesanoverviewofthecurrentleadingtechnolo
41、giesandstandardsinthesecurityarena.2929OxfordSecurity Risk Analysis and Management (RIS)Securityisapropertyofanentiresystemincontext,ratherthanofasoftwareproduct,soathoroughunderstandingofsystemsecurityriskanalysisisnecessaryforasuccessfulproject.Thiscourseintroducesthebasicconceptsandtechniquesofse
42、curityriskanalysis,andexplainshowtomanagesecurityrisksthroughtheprojectlifecycle.Participantsshouldhaveabasicunderstandingoftopicsinsecurity,asprovidedbytheSecurityPrinciples(SPR)course.People and Security (PAS)Averyhighproportionoffailuresinsecuritycanbeattributedtomisunderstanding,mis-information,
43、orfailuretograsptheimportanceoftheprocessesindividualsareexpectedtofollow.Thiscoursedrawsonworkfromhuman-computerinteraction,andmorewidelyfrompsychology,relatingtheissuesraisedbacktohardtechnicalimplementationdecisions.Familiaritywithbasicsecurityprinciplesandstandardmechanisms,ascoveredinSecurityPr
44、inciples(SPR),isassumed.3030OxfordDesign for Security (DES)Capabilityinthedesignofsystemswhichwillmeetsecuritygoalsisanincreasinglyimportantskill.Thiscoursewillexplorehowsuitablelevelsofassurancecanbeachievedthroughcombiningarchitecturaldetail,operatingsystemandmiddlewareplatforms,andapplicationsecu
45、ritymeasures.Centraltotheseconsiderationsisconcernforwhichrequirementsaremetwithwell-establishedtools,whichriskscanbeaddressedthoughnoveltechnologies,andwhichmustbemitigatedbyothermeans.Participantsshouldhaveabasicunderstandingoftopicsinsecurity,asprovidedbytheSecurityPrinciples(SPR)course.Platforms
46、 for Security (PLA)Inordertobuildsecuresystems,appropriatemethodologiesmustbeusedthroughoutthelifecycle,notleastinthedetailedimplementationstage.Thiscoursetakesacasestudyapproachtotopicssuchasbufferoverflows,cryptographiclibraries,sandboxing,codesigning,networksecurity,andcodecorrectness,tobuildtowa
47、rdsatoolkitofsoundprinciples.Participantsshouldhaveabasicunderstandingoftopicsinsecurity,asprovidedbytheSecurityPrinciples(SPR)course.3131CC-getechInformationSecurityFixedCoreCourses(23semesterhours):IntroductiontoInformationSecurityAppliedCryptographySecureComputerSystemsNetworkSecurityInformationS
48、ecurityLaboratoryInformationSecurityStrategiesandPoliciesPracticum/Project/Research(5credithours)3232CC-getechConcentrationI(TechnologyCentric-9CreditHours),ChoosethreecoursesfromthefollowingIntroductiontoNumberTheoryTheoryIIAdvancedOperatingSystemsComputerNetworksFormalModelsandMethodsforInformatio
49、nAssuranceSoftwareDevelopmentProcessDatabaseSystemsConceptsadnDesignInternetworkingArchitectureandProtocols3333CC-getechConcentrationII(PolicyCentric-9CreditHours)Choosethreecoursesfromthefollowing.TechnologyForecastingandAssessmentScience,TechnologyandPublicPolicyCostandBenefitAnalysisManagementInf
50、ormationSystemsBusinessProcessAnalysis&Design(SAP)SecurityandPrivacyofInformation&InformationSystems(GSU)3434国外办学特色总结办学思路方面:办学思路方面:1.信息安全信息安全科研活跃科研活跃的高效设立相关课程、但体系性不强的高效设立相关课程、但体系性不强2.信息安全知识信息安全知识渗透渗透到已有各个专业到已有各个专业3.讲解讲解细致细致、事例丰富、事例丰富4.低年级涉及专业的目的意义,并通过动手实践能力的培养激低年级涉及专业的目的意义,并通过动手实践能力的培养激发学生兴趣发学生兴趣1.宾
51、州大学的一年级的课程,(UndergraduateResearch/IndependentStudy,InformationTechnologyandItsImpactonSociety)2.芝加哥大学的WebDesign:Aesthetics/lang5.高年级注重学生知识面的拓展,开办讲座(约高年级注重学生知识面的拓展,开办讲座(约2小时),研究小时),研究方向研讨会等方向研讨会等3535课程方面:课程方面:1.基本课程基本课程计算机安全、密码、网络安全、安全管理、数据库安全、计计算机安全、密码、网络安全、安全管理、数据库安全、计算机算机/网络取证网络取证2.特色课程特色课程人员安全、安全
52、编程(人员安全、安全编程(PU)、无线网络安全()、无线网络安全(PU)、)、PROJECT、信息犯罪、网络协议安全性分析、讲座、信息犯罪、网络协议安全性分析、讲座/专题、专题、网络攻防(网络攻防(NYU)3.成绩评分方式成绩评分方式平时作业(平时作业(30-50%)、工程实践()、工程实践(30-50%)、期中期末考)、期中期末考试试(30-40%)、出勤、出勤(5%左右左右)等等3636教学方式方面:教学方式方面:1.网络成为师生沟通的桥梁,在教学中起重要作用,相关网络成为师生沟通的桥梁,在教学中起重要作用,相关信息在网上都查得到,包括:每学期各专业的开课情况、信息在网上都查得到,包括:每
53、学期各专业的开课情况、课程介绍、任课教师、参考书目、教师要求、评分方式、课程介绍、任课教师、参考书目、教师要求、评分方式、教师的讲义(教师的讲义(ppt)等等。)等等。2.聘请外校专家讲授课程或课程的部分章节。聘请外校专家讲授课程或课程的部分章节。3.多名教师或研究生共同教授同一门课,各有分工。多名教师或研究生共同教授同一门课,各有分工。4.布置学生阅读大量参考文献并讨论(布置学生阅读大量参考文献并讨论(stanford),一定),一定的交流讨论课时(的交流讨论课时(1/3)3737报告提纲引言国外信息安全相关课程设置情况总体情况有代表性的大学国外信息安全知识体系相关情况NSTISSI(Nat
54、ionalSecurityTelecommunicationsandInformationSystemSecurityI)ISC(2)的信息安全共同知识体系CBK办学特点3838NSTISSI(NationalSecurityTelecommunicationsandInformationSystemSecurityI)的CNSS4011-4015CNSS4011:国家信息系统安全专业人才培训标准NationalTrainingStandardforInformationSystemsSecurity(INFOSEC)ProfessioinalsCNSS4012:国家高级系统管理员信息安全培训
55、标准NationalInformationAssuranceTrainingStandardforSeniorSystemsManagersCNSS4013:国家系统管理员信息安全培训标准NationalInformationAssuranceTraningStandardforSystemAdministratorsCNSS4014:国家信息系统安全官员安全培训标准InformationAssuranceTrainingStandardforInformationSystemsSecurityOfficersCNSS4015:国家系统证书培训标准NationalTrainingStandar
56、dforSystemCertifiers3939CNSS4011培训标准培训课程采用信息安全综合模型,向受培训者提供两个层面的相关知识认知层面:对于国家信息信息系统威胁和弱点,要建立起敏感的认知。认识到保护数据、信息和信息处理手段的需求及意义;具有从事信息安全工作的原理和实践知识实践层面:培训INFOSEC安全过程和实践的设计、执行和评估技能。对这个层面的理解可以确保学员有能力对他们在实践过程中遇到的安全概念加以应用4040CNSS4011培训标准教学计划:1、通信基础(认知层面)教学内容:现代通信系统的演化过程,传输介质学习成果:通信系统发展年代表,匹配传输特性和描述符主要内容:历史和当前方
57、法对比;各种通信系统的能力和局限性历史和当前方法对比;各种通信系统的能力和局限性2、自动化信息系统AIS基础(认知层面)教学内容:提供AIS语言;结合AIS实例描述AIS环境;综述AIS中硬件、软件、固定组件结合后文中信息系统安全外貌/行为学习成果:AIS术语解释;可执行功能解释;描述AIS组件间相互关系主要内容:历史和当前技术对比;硬件;软件;存储器;介质;网络历史和当前技术对比;硬件;软件;存储器;介质;网络4141CNSS4011培训标准教学计划:3、安全基础(认知层面)教学内容:应用信息系统安全广泛模型,提出重要信息属性、信息状态、安全测量标准学习成果:学生应列出并表述AIS安全中的要
58、素,对保护系统AIS的安全训练进行总结,能举例说出重要信息的决定性主要内容:INFOSEC概述,操作安全OPSEC,信息安全INFOSEC4、NSTISS基础(认知层面)教学内容:组件描述,包括国家策略、威胁和弱点,对策,风险管理,系统生命周期管理,信任,操作模式,组织单元角色,NSTISS各方面等实例学习成果:概括出国家NSTISS策略;验证AIS弱点和潜在威胁,举例说明NISS策略,国产和实践的代理实现主要内容:国家策略和指导,系统弱点和威胁,法律要素,对策,风国家策略和指导,系统弱点和威胁,法律要素,对策,风险管理,系统生命周期管理,信任,运行模式,多种组织人员的角色,险管理,系统生命周
59、期管理,信任,运行模式,多种组织人员的角色,NSTISS各方面各方面4242CNSS4011培训标准教学计划:5、系统运行环境(认知层面)教学内容:勾画出机构的具体自动信息系统和通信系统;描述机构的控制点,以便购买和维护自动信息系统和通信系统;评论自动信息系统和通信系统的安全策略学习成果:总结出机构中自动信息系统和通信系统;给出淡青机构的自动信息系统或通信系统和配置的示例,和维护的可操作点主要内容:自动信息系统,通信系统,各机构具体的安全策略,各机自动信息系统,通信系统,各机构具体的安全策略,各机构具体的自动通信系统或通信系统的策略构具体的自动通信系统或通信系统的策略6、NSTISS计划和管理
60、(实践层面)教学内容:讨论涉及安全措施和编码过程中的实际行动,介绍常见的安全计划指南/文档学习成果:针对教师提供的自动信息系统和通信系统建立安全计划主要内容:安全计划,风险管理,系统生命周期管理,意外事故计划安全计划,风险管理,系统生命周期管理,意外事故计划/灾难恢复灾难恢复4343CNSS4011培训标准教学计划:7、NSTISS策略和程序(实践层面)教学内容:NSTIISS的特殊技术、政策方针、教育解决方案;拥有相应保护措施的AIS/电信系统中存在的攻击和威胁原理学习成果:在AgencyAIS/电信系统中扮演一个系统的入侵者或守护者角色;学生需要讨论漏洞并提供适当对策主要内容:物理安全措施
61、,职员安全实践和程序,软件安全,网络安全,管理安全程序控制,审核和监控,密码安全,密钥管理,传输安全,TEMPEST安全4444(ISC)2整理的公共知识体系国际信息系统安全认证协会国际信息系统安全认证协会(InternationalInformationSystemsSecurityCertificationConsortium),简称(ISC)2,于一九八九年由多个组织在北美共同设立,是一个全球性的非营利组织,其成立的宗旨是为信息安全行业发展出一套业界承认的标准,并致力于国际标准的信息安全专家和从业人员认证和培训CISSP-CertifiedInformationSystemsSecuri
62、tyProfessional,信息系统安全专业人员资格认证.CISSP认证是目前世界上最权威、最全面的国际化信息系统安全方面的认证。CISSP认证已成为IT行业的十大资质认证之一。目前,全球已经有13000多人通过CISSP专业认证,其中亚洲区有3000多人,覆盖60多个国家和地区,其权威性得到了国际上企业、金融、学术、政府等多个行业的认可。4545(ISC)2CBK是一门国际性的专业知识,由十个领域组成:安全管理实务(SecurityManagementPractices)访问控制(AccessControlSystems)通信和网络安全(TelecommunicationsandNetwo
63、rkSecurity)密码学(Cryptography)安全体系和模型(SecurityArchitectureandModels)运作安全(OperationsSecurity)应用与系统开发(ApplicationsandSystemsDevelopment)业务连续性计划与灾难恢复(BusinessContinuityPlanningandDisasterRecoveryPlanning)法律、犯罪调查及道德规范(Law,Investigations,andEthics)物理安全(PhysicalSecurity)4646CBK1、安全管理实践安全管理实践(SecurityManagem
64、entPractices):安全管理负责辨别一个组织的信息资产的评估和策略、标准、过程、指南的发展、存档、实现。能够应用管理工具如数据分类、风险评估/分析来识别威胁、资产分类、评价系统弱点,最终实现有效的控制2、安全体系结构和模型安全体系结构和模型securityarchitectureandmodels:包括基本的概念、原理、结构、标准,这些将用于设计、监视和保护操作系统、设备、网络、应用,以及用于提高各个层次的可用性、完整性、机密性的控制3、访问控制系统与方法访问控制系统与方法AccessControlSystemsandMethodology:是一个机制集合,这些机制一道工作以创建一个保
65、护信息系统资产的安全体系结构4747CBK4、应用开发的安全应用开发的安全ApplicationDevelopmentSecurity:该领域探讨用于应用软件开发的重要安全概念。他勾画了设计开发软件的基本环境,揭示了软件在提供信息系统安全方面的重要角色5、运行安全运行安全OperatingSecurity:被用于鉴别附带在硬件、媒体和能够特权访问这些资源的操作者与管理者上的控制。为了识别关键因素并将相关信息报告给相应的个人、组织或程序,审计和监视是允许分辨安全事件和后续行为的机制、工具和设备6、物理安全物理安全PhysicalSecurity:为整个设备提供保护技术,从外部表层到内部的处理空间
66、,包括所有信息系统资源7、密码学密码学Cryptography:阐述隐藏信息的原理、手段和方法,来保证信息的完整性、机密性和权威性4848CBK8、通信网络、互联网安全通信网络、互联网安全Telecommunications,Network,andInternetSecurity:讨论以下内容:网络结构、传输格式、用于提供可用性、完整性和机密性的安全测量、用于基于内部和外部通信网络和介质传输的鉴权9、业务连续性计划业务连续性计划BusinessContinuityPlanning:探讨意外情况下的业务运行系统的备份与恢复10、法律、法规和道德规范法律、法规和道德规范Law,Investigations,andEthics:包括以下内容:计算机犯罪的有关法律法规;用于调查计算机犯罪案件的方法与技术4949谢谢!5050
