防止数据泄漏的联系函_如何使用管理控制措施防止数据泄露

防止数据泄漏的联系函

This article is part of my series on how to prevent data security breaches. Read more about how you can use physical safeguards and technical safeguards to mitigate your business risk.

本文是有关如何防止 数据安全漏洞的 系列文章的一部分 。 阅读有关如何使用 物理保护措施 和 技术保护措施 来减轻业务风险的更多信息。

Preventing data breaches requires a combination of approaches to manage people, processes, and technologies to implement robust security controls. This article addresses the security controls that can help you minimize the risk of security breaches. It is impossible to prevent all data breaches, and it would be cost-prohibitive to try. Nonetheless, each organization will need to conduct its own risk management process to settle on a balance between implementing controls to minimize the risk of breaches and the time, effort, and money needed to implement such controls.

要防止数据泄露，需要使用多种方法来管理人员，流程和技术，以实施可靠的安全控制。 本文介绍了可以帮助您最大程度地减少安全漏洞的风险的安全控件。 防止所有数据泄露是不可能的，并且尝试将花费巨大。 但是，每个组织将需要进行自己的风险管理流程，以在实施控制措施之间取得平衡，以最大程度地减少违规风险以及实施此类控制措施所需的时间，精力和金钱。

Administrative safeguards are the non-technical, “soft” measures that management establishes regarding acceptable employee conduct, personnel procedures, and correct technology usage within the enterprise.

行政管理措施是管理层针对企业内部可接受的员工行为，人员程序和正确的技术使用而制定的非技术性“软”措施。

For context, this article refers to a business covered by a security policy as the “Covered Entity.”

就上下文而言，本文将安全策略涵盖的业务称为“覆盖实体”。

风险分析 (Risk Analysis)

Risk analysis consists of four components:

风险分析包括四个组成部分：

1. Asset identification and valuation
   资产识别与评估
2. Threat identification
   威胁识别
3. Vulnerability identification
   漏洞识别
4. Risk identification
   风险识别

资产识别与评估 (Asset Identification and Valuation)

The term “assets” refers to items of value to the Covered Entity, which includes (among other things) computer hardware, mobile devices, software, records, and other information. Asset identification and valuation involve listing assets to be considered within the scope of the risk assessment. Once identified, the Covered Entity needs to assign the appropriate value to each asset, which can be monetary or simply a qualitative measure of the asset’s value (e.g., high, medium, or low).

术语“资产”是指涵盖实体的有价值的项目，包括(除其他事项外)计算机硬件，移动设备，软件，记录和其他信息。 资产识别和评估涉及在风险评估范围内考虑要上市的资产。 一旦确定，涵盖实体就需要为每项资产分配适当的价值，这可以是货币价值，也可以只是对资产价值的定性度量(例如，高，中或低)。

威胁识别 (Threat Identification)

A threat is a negative event that has the potential to damage an asset that is vulnerable to such a threat. Information security threats compromise the confidentiality, integrity, or availability of information. Threats may be intentional, such as a hacker attempting to break into a network. Additionally, threats may also be inadvertent, such as the mistyping of an e-mail address, which may be attributable to natural human carelessness or fatigue. Threats may extend beyond human conduct, whether intentional or not, to natural or physical phenomena. For instance, hurricanes and earthquakes pose threats to the availability of information when they strike data centers and the equipment operating in them.

威胁是一种负面事件，有可能损坏易受此威胁影响的资产。 信息安全威胁会危害信息的机密性，完整性或可用性。 威胁可能是故意的，例如黑客试图闯入网络。 此外，威胁也可能是无意的，例如电子邮件地址的错误输入，这可能归因于人类自然的粗心或疲劳。 威胁可能会超出人类行为(无论是否有意)而延伸到自然或自然现象。 例如，飓风和地震袭击数据中心及其中运行的设备时，会对信息的可用性造成威胁。

漏洞识别 (Vulnerability Identification)

A vulnerability is a weakness in an asset that allows a threat to damage that asset. This weakness can stem from the lack of a control designed to protect the asset, a weakness in the control, or in a characteristic of the asset itself. Threats have the potential of exploiting these weaknesses to damage the confidentiality, integrity, or availability of the asset. Because vulnerabilities only exist in the context of a threat, the Covered Entity must carefully consider which threats are relevant to them when assessing the vulnerability of an asset to a particular threat.

漏洞是资产的弱点，它允许威胁破坏该资产。 这种弱点可能是由于缺乏旨在保护资产的控制措施，控制措施的弱点或资产本身的特征所致。 威胁有可能利用这些弱点来破坏资产的机密性，完整性或可用性。 由于漏洞仅在威胁的背景下存在，因此涵盖实体在评估资产对特定威胁的脆弱性时必须仔细考虑与哪些威胁相关。

风险识别 (Risk Identification)

The risk identification step analyzes risk based on the likelihood that a threat will exploit a vulnerability and the impact that event would have on the vulnerable asset. The Covered Entity can use existing questionnaires, interviews with experts, past history and other means to determine the risks the organization may encounter. The Covered Entity should document potential risk elements as part of its risk management process. High risks are those involving threats that occur frequently and/or exploit vulnerabilities of high-value assets. Low risks are those where a minor vulnerability may expose a low-value asset to unlikely or infrequent compromise or loss. Even when the risk identification step is completed, there is a remaining “unidentified risk.”

风险识别步骤基于威胁利用漏洞的可能性以及事件对漏洞资产的影响来分析风险。 涵盖实体可以使用现有的问卷，与专家的访谈，过去的历史和其他方式来确定组织可能遇到的风险。 涵盖实体应在其风险管理过程中记录潜在的风险要素。 高风险是指那些涉及频繁发生的威胁和/或利用高价值资产的漏洞的风险。 低风险是指那些较小的漏洞可能会使低价值资产遭受不太可能或很少发生的损害或损失的风险。 即使完成了风险识别步骤，仍然存在“未知风险”。

风险管理 (Risk Management)

Risk Management describes the continuous, iterative process of:

风险管理描述了以下连续，迭代的过程：

1. Analyzing changes to the Covered Entity’s environment, including such factors as: (i) implementation of new technology and associated vulnerabilities; (ii) developments in new threat technology; (iii) changes to organizational structure and business goals; and (iv) changes in regulations
   分析涉及实体的环境的变化，包括以下因素：(i)实施新技术和相关漏洞； (ii)新威胁技术的发展； (iii)更改组织结构和业务目标； (iv)法规变更
2. Measuring and prioritizing risks and corresponding mitigation measures and incorporating them into a Risk Management Plan
   衡量风险并确定其优先级和相应的缓解措施，并将其纳入风险管理计划
3. Implementing those mitigation measures defined in the Risk Management Plan
   实施风险管理计划中定义的缓解措施

The Risk Management Plan should address how risk is to be managed to an acceptable level. Risks may be prioritized on the basis of the degree of risk, the magnitude of harm that a threat could cause, the cost to mitigate a vulnerability, business goals and critical needs, and expected effectiveness of mitigation measures.

风险管理计划应解决如何将风险管理到可接受的水平。 可以根据风险程度，威胁可能造成的危害程度，缓解漏洞的成本，业务目标和关键需求以及缓解措施的预期效果来确定风险的优先级。

安全管理功能 (Security Management Function)

A Covered Entity should have a person in charge of the information security function at the company. For purposes of accountability, that one person should be accountable to senior management and ultimately the board of directors or equivalent. If the Covered Entity does not have such a person, then the security function is scattered, multiple people may attempt to shift responsibility among themselves, and critical security tasks may fall through the cracks. Frequently, management assigns security oversight in a company to a Chief Information Security Officer.

涵盖实体应由公司负责信息安全职能的人员负责。 出于问责制的目的，一个人应该对高级管理层负责，并最终对董事会或类似人员负责。 如果涵盖实体没有这样的人，那么安全功能就会分散，多个人可能会尝试在他们之间转移责任，而关键的安全任务可能会落空。 管理层经常将公司的安全监督分配给首席信息安全官 。

雇用，监督，终止工作人员，单用户帐户和问责制 (Hiring, Supervising, Terminating Workers, Single-user Accounts, and Accountability)

People are the weakest link in any security program. To address this vulnerability, the Covered Entity must institute policies, procedures, and standards for ensuring that the security risk of the workforce itself is managed. Those workers without the need to access should not be given access rights, and workers without explicit access rights should be denied access to security-sensitive information. To comply with these administrative safeguards, the Covered Entity, through administrative procedures, should implement the following three procedures:

人是任何安全程序中最薄弱的环节。 为了解决此漏洞，涵盖实体必须制定政策，程序和标准，以确保管理员工本身的安全风险。 那些不需要访问权限的工作人员不应获得访问权限，而没有明确访问权限的工作人员应被拒绝访问安全敏感信息。 为了遵守这些行政保护措施，涵盖实体应通过行政程序执行以下三个程序：

1. Authorization and/or supervision: granting access privileges and supervising workers’ access to security-sensitive information

   授权和/或监督 ：授予访问权限并监督工作人员对安全敏感信息的访问

2. Workforce clearance procedure: managing the hiring and HR policies of the Covered Entity to ensure that it fills roles with trustworthy and competent personnel

   劳动力清理程序 ：管理涵盖实体的招聘和人力资源政策，以确保其由可信赖且称职的人员担任

3. Termination procedures: revoking access privileges and obtaining the return of devices, media, and security-sensitive information

   终止过程 ：撤消访问权限并获得设备，媒体和安全敏感信息的返回

访问管理 (Access Management)

These administrative procedures govern how Covered Entities grant access privileges for applications, workstations, and security-sensitive information to authorized people in the organization. When determining who in the organization should access systems, programs, databases, or other intermediaries to security-sensitive information, management should consider policies that limit access to the minimum number of people and the minimum extent necessary for employees to perform their job. Granting privileges that exceed the minimum required for proper job performance can add risk to the security and privacy of sensitive information.

这些管理过程控制涵盖实体如何向组织中的授权人员授予应用程序，工作站和对安全敏感的信息的访问特权。 在确定组织中的谁应访问系统，程序，数据库或其他中介以获取对安全敏感的信息时，管理层应考虑将访问权限限制在最小人数和雇员执行工作所需的最小范围的策略。 授予超过正常工作所需的最低权限的特权可能会增加敏感信息的安全性和隐私性。

安全意识与培训 (Security Awareness and Training)

People cannot perform their duties securely unless they are familiar with the entity’s security policies and procedures. Awareness allows employees to grasp the importance of security and its role in protecting privacy. Training focuses on how to use the security features and maintain a secure information-processing environment.

除非他们熟悉实体的安全策略和程序，否则人们无法安全地执行其职责。 意识使员工能够掌握安全性的重要性及其在保护隐私中的作用。 培训的重点是如何使用安全功能和维护安全的信息处理环境。

提醒事项 (Reminders)

Training and awareness are continuous, not one-time events. The Covered Entity must have an ongoing, periodic security awareness and training program. Its goal should be to keep staff updated on the latest risks and threats the system is facing, as well as any changes in the Covered Entity’s security programs.

培训和意识是连续的，而不是一次性的活动。 涵盖实体必须有一个持续的，定期的安全意识和培训计划。 它的目标应该是使员工了解系统面临的最新风险和威胁以及涵盖实体的安全计划的任何更改。

恶意软件/社会工程学 (Malware/Social Engineering)

The organization must have a policy and procedure on how it will protect itself from malicious software and phishing attacks. Malicious software can be any code that affects the confidentiality, integrity, and availability of security-sensitive information. Examples of malicious software include viruses, worms, and Trojan Horses. Most recently, companies have been victimized by numerous “ransomware” attacks in which malicious software encrypts a company’s data and attackers demand a ransom to decrypt the information.

组织必须制定有关如何保护自己免受恶意软件和网络钓鱼攻击的策略和过程。 恶意软件可以是影响安全敏感信息的机密性，完整性和可用性的任何代码。 恶意软件的示例包括病毒，蠕虫和特洛伊木马。 最近， 公司受到众多“勒索软件”攻击的攻击 ，其中恶意软件对公司的数据进行加密，攻击者要求赎金来解密信息。

The software can enter the environment from many sources including email, USB drives and other media, employee-installed software, and websites. Phishing attacks involve sending messages to people to get them to sign on to phony sites and disclose their login credentials, which can be harvested and used for impersonation, identity theft, and other malicious purposes.

该软件可以从许多来源进入环境，包括电子邮件，USB驱动器和其他媒体，员工安装的软件以及网站。 网络钓鱼攻击涉及向人们发送消息，使他们登录伪造网站并泄露其登录凭据，这些凭据可以被收集并用于假冒，身份盗窃和其他恶意目的。

登录监控 (Log-in Monitoring)

The Covered Entity should have appropriate procedures for monitoring attempts to log into systems or applications that contain or can access security-sensitive information and for reporting anomalous events. Examples of these events include:

被涵盖实体应具有适当的程序，以监视尝试登录包含或可以访问安全敏感信息的系统或应用程序的尝试，并报告异常事件。 这些事件的示例包括：

• Unusual times for a workstation to be active or logged in — such as well after business hours or during an employee’s off time — which may indicate an employee may be trying to get protected information outside of the scrutiny of his/her supervisor, or an attacker may be attempting to gain unauthorized access.
  工作站处于活动状态或登录的异常时间(例如，下班时间或在员工下班时间)，这可能表明员工可能试图在其主管或攻击者的审查范围之外获取受保护的信息。可能正试图获得未经授权的访问。
• Unusually high numbers of failed login attempts — which might indicate that an attacker is trying to log in, does not know the password but is attempting to guess it.
  登录尝试失败的次数异常多，这可能表明攻击者正在尝试登录，它不知道密码，但正在尝试猜测密码。

密码/凭证管理 (Password/Credential Management)

Covered Entities can train their personnel to choose and maintain secure passwords used for access control to systems and information. Passwords may have security standards themselves such as:

涵盖实体可以培训其人员选择和维护用于对系统和信息进行访问控制的安全密码。 密码本身可能具有安全标准，例如：

• Minimum length.
  最小长度。
• Complexity (e.g., required numeric and non-alphabetical characters, lower- and upper-case letters, etc.).
  复杂性(例如，必需的数字和非字母字符，大小写字母等)。
• Difficulty of guessing (e.g., avoidance of dictionary words, maiden names, pets’ names, spouse’s name, etc.).
  猜测困难(例如，避免使用字典单词，娘家姓，宠物的名字，配偶的名字等)。
• Minimum and maximum usage time dictating when they must be changed.
  最小和最大使用时间指示何时必须更改它们。

Password management and password confidentiality policies and procedures directly affect the security of the accessed system or application.

密码管理和密码机密性策略和过程直接影响所访问系统或应用程序的安全性。

If the Covered Entity uses authentication methods other than passwords, such as smart cards or other hardware tokens, it should have policies and procedures for issuing, managing, and revoking credentials associated with such devices.

如果涵盖实体使用密码以外的身份验证方法(例如智能卡或其他硬件令牌)，则其应具有用于发行，管理和吊销与此类设备关联的凭据的策略和过程。

事件响应和处理 (Incident Response and Handling)

The Covered Entity should train all personnel to be aware of events that may show a security incident took place. It should also establish mechanisms and procedures for reporting such incidents as potential security incidents and procedures for investigating and responding to such incidents.

涵盖实体应培训所有人员以了解可能表明发生安全事件的事件。 它还应建立报告此类事件(例如潜在安全事件)的机制和程序，以及调查和响应此类事件的程序。

As a response to incidents, Covered Entities must take steps to mitigate the effect of incidents. Mitigation may take the form of closing a vulnerability that caused the incident, retrieving information that was lost or misappropriated, implementing a new security safeguard, or strengthening an existing safeguard.

作为对事件的响应，涵盖实体必须采取措施减轻事件的影响。 缓解措施可以采取关闭导致事件的漏洞，检索丢失或盗用的信息，实施新的安全保护措施或加强现有安全保护措施的形式。

In any event, Covered Entities should document incident reporting and handling to make a record of what happened, assist in managing future efforts to respond to the incident, and facilitate remedial actions to prevent similar incidents in the future.

无论如何，涵盖实体应记录事件报告和处理情况，以记录发生的事件，协助管理未来应对事件的努力，并促进采取补救措施以防止将来发生类似事件。

备份，灾难恢复和业务连续性 (Backup, Disaster Recovery, and Business Continuity)

Data backup planning and execution involve more than occasionally making a copy of security-sensitive information and storing it somewhere. Backup planning and implementation should be a formal process that includes planning for:

数据备份计划和执行涉及的内容不只是偶尔复制一份对安全敏感的信息并将其存储在某个地方。 备份计划和实施应该是一个正式的过程，其中应包括以下方面的计划：

• Backup frequency and maximum allowable data loss: The backup frequency (e.g., once per week, once per day, once per hour) and the location of the backup media determine the maximum allowable data loss (the amount of data that wasn’t backed up, but now due to the emergency or other incidents, is not retrievable)

  备份频率和最大允许数据丢失 ：备份频率(例如每周一次，每天一次，每小时一次)和备份介质的位置确定最大允许数据丢失(未备份的数据量) ，但现在由于紧急情况或其他事件而无法检索)

• Maximum time to restore: This metric determines how long it will take to move the backup copy into service. Different methods of storage — tape, optical disk, etc. — require different amounts of time to restore

  恢复的最长时间：此度量标准确定将备份副本移入服务所需的时间。 不同的存储方法(磁带，光盘等)需要不同的时间来恢复

Backups need the same security protections as information receives in its primary (production) systems for normal use. Backup policies and procedures must be subject to the same management controls as the production services.

备份需要与在其主要(生产)系统中正常使用的信息接收相同的安全保护。 备份策略和过程必须与生产服务受到相同的管理控制。

评定 (Assessment)

No policy or procedure lasts forever. Management should ensure that policies and procedures are kept current with prevailing security threats, information system vulnerabilities, and security and privacy risks. Management should identify the policy and procedure evaluation frequency (such as once per year, etc.) and document it in the Covered Entity’s security policies and procedures. Covered Entities need to maintain version control of all policies and procedures. All personnel and advisors should be working with the most recent version of a policy or procedure.

任何政策或程序都不会永远持续下去。 管理层应确保政策和程序始终与最新的安全威胁，信息系统漏洞以及安全和隐私风险保持同步。 管理层应确定策略和程序的评估频率(例如每年一次等)，并将其记录在涵盖实体的安全策略和程序中。 涵盖实体需要维护所有策略和过程的版本控制。 所有人员和顾问都应使用最新版本的政策或程序。

第三方监督 (Third-Party Supervision)

Today, outsourcers and vendors perform many key roles for Covered Entities. When performing these functions, they will likely have access to security-sensitive information. Covered Entities should put into place appropriate agreements to require that third-party service providers protect the security of such information. Agreements should identify the information that needs to be protected, require assurances of security, contain a mechanism to assess compliance, require notification if a security breach occurs, and impose consequences in the event of a breach.

如今，外包商和供应商在涵盖实体中扮演着许多关键角色。 在执行这些功能时，他们可能会访问对安全性敏感的信息。 涵盖实体应签署适当的协议，要求第三方服务提供商保护此类信息的安全性。 协议应标识需要保护的信息，要求安全性，包含评估合规性的机制，在发生安全漏洞时要求通知，并在发生漏洞时施加后果。

Stephen Wu is a shareholder with Silicon Valley Law Group and the practice leader for the Artificial Intelligence and Robotics Service Group. Follow him on Twitter and LinkedIn.

斯蒂芬·吴 ( Stephen Wu)是硅谷法律集团的股东，也是人工智能和机器人技术服务集团的业务负责人。 在Twitter和LinkedIn上关注他。

Originally published at https://www.airoboticslaw.com.

最初发布在 https://www.airoboticslaw.com 。

翻译自: https://medium.com/swlh/how-to-prevent-data-breaches-using-administrative-controls-a271d90ae5ba

防止数据泄漏的联系函