2013年mcm建模前期準(zhǔn)備的參考優(yōu)秀

C安全與否,E;O*^8E)t8o4G%x,Y9你大概聽計(jì)算機(jī)和計(jì)算機(jī)除非你的計(jì)算機(jī)遭到過或的攻或者病毒，那么其中重要的個(gè)人信息和軟件就有可能丟失。+v+R;{!C9kIT安全性的方案。明確的任務(wù)將在后面給出。8 S6M7Y.n&X-U.通過多個(gè)防御層來防止計(jì)算機(jī)系統(tǒng)活動(dòng)的。包括政策層和技術(shù)層(圖1,預(yù)防性的防御措施(略))兩者在內(nèi)的這些防御層將會(huì)對(duì)機(jī)構(gòu)的風(fēng)險(xiǎn)類型產(chǎn)生各種不同的影響(2,IT系統(tǒng)經(jīng)濟(jì)風(fēng)險(xiǎn)的示意圖(略))。用無(wú)線設(shè)備的使用有關(guān)可移動(dòng)的關(guān)注個(gè)人應(yīng)用的限制和用戶培訓(xùn)。一種實(shí)例性的政策可以包括對(duì)的長(zhǎng)度和所用字母的要求更改的費(fèi)用以及影響到生產(chǎn)效率和安全性的因素。在圖1中，只對(duì)最面作了詳細(xì)3@+y.G:O%檢測(cè)系統(tǒng)(IDS=IntrusionDetectionSystems)，，防系統(tǒng)，易受擊的掃描儀和冗余備份等。比如說，IDS監(jiān)視并記錄某一特定計(jì)算機(jī)或來自具有數(shù)據(jù)并能提供識(shí)別可疑活動(dòng)“之后”的偵破能力的網(wǎng)絡(luò)上的重要。 )是一個(gè)廣受歡迎的IDS方案。圖1提供了一個(gè)關(guān)鍵防御措施的樣本(管理/使用的政策和技術(shù)解決方案)和政策一樣,技術(shù)解決方案也有)u/W"?&k- q%ToBeSecureorNotto(V*V:n(]'}7j7U*Youprobablyknowaboutcomputerhackersandcomputeres.Unlessyourcomputerhasbeentargetedbyone,youmaynotknowhowtheycouldaffectanindividualoranorganization.Ifacomputerisattackedbyahackeroritcouldloseimportantalinformationandsoftware.:X(U4J2W;S:E.V)u0H4Z#EThecreationofanewuniversitycampusisbeingconsidered.Yourrequirementistomodeltheriskassessmentofinformationtechnology(IT)securityforthisproposeduniversity.ThenarrativebelowprovidessomebackgroundtohelpdevelopaframeworktoexamineITsecurity.Specifictasksareprovidedattheendofthisnarrative.Computersystemsareprotectedfrommaliciousactivitythroughmultiplelayersofdefenses.Thesedefenses,includingbothpoliciesand(Figure1PreventativeDefensiveMeasures),havevaryingeffectsontheorganization’sriskcategories(Figure2EconomicRiskSchematicforITSystems)."@;D9]%s0h9R$h+FManagementandusagepoliciesaddresshowusersinctwiththeorganization’scomputersandnetworksandhowpeople(systemadministrators)maintainthenetwork.Policiesmayincludepasswordrequirements,formalsecurityaudits,usagetracking,wirelessdeviceusage,removablemediaconcerns, aluselimitations,andusertraining.Anexamplepasswordwouldincluderequirementsforthelengthandcharactersusedinthepassword,howfrequentlytheymustbechanged,andthenumberoffailedloginattemptsallowed.Eachsolutionhasdirectcostsassociatedwithitsimplementationandfactorsthatimpactproductivityandsecurity.InFigure1,onlythetopmostbranchisfullydetailed.Thestructureisreplicatedforeachbranch.:},@/t/C-^-Thesecondaspectofasecuritypostureisthesetoftechnologicalsolutionsemployedtodetect,mitigate,anddefeatunauthorizedactivityfrombothinternalandexternalusers.Technologysolutionscoverbothsoftwareandhardwareandincludeintrusiondetectionsystems(IDS),firewalls,anti-systems,vulnerabilityscanners,andredundancy.Asanexample,IDSmonitorsandrecordssignificanteventsonaspecificcomputerorfromthenetworkexaminingdataandprovidingan“afterthefact”forensicabilitytoidentifyactivity.SNORT( )isapopularIDSsolution.Figure1providesasampleofkeydefensivemeasures(management/usagepoliciesandtechnologysolutions).Aswitha,atechnologysolutionalsohasdirectcosts,aswellasfactorsthatimpactproductivityandsecurity.K+j4Z!\2v,e8R:?風(fēng)險(xiǎn)的來源包括(但并不限于)機(jī)構(gòu)內(nèi)部或者外部的人或硬件（2）。不同的預(yù)防性防御措施（圖1）可能在防御內(nèi)部比防御來自計(jì)算機(jī)的威脅更有效。另外，外部的動(dòng)機(jī)往往不同，這也可能需要不同的安全措施。比如說對(duì)付一個(gè)正試圖檢索私人數(shù)據(jù)或庫(kù)的者和對(duì)付一個(gè)正試圖癱瘓網(wǎng)絡(luò)的者很可能要采取極不同的斗法。-F#q7i6u3L"X2屬于機(jī)構(gòu)可能要面對(duì)方面的潛在費(fèi)用包括機(jī)會(huì)成本(圖2)(注:企業(yè)管理沒有作出一項(xiàng)決策或未能利用一個(gè)能帶來收益的機(jī)會(huì)(例如投資項(xiàng)目),失去的收益就是機(jī)會(huì)成本)、人員費(fèi)用和預(yù)防性防御措施的費(fèi)用。重要的機(jī)學(xué)的衛(wèi)生院由于在應(yīng)訴醫(yī)療記錄可用性方面的損失比之于重建服務(wù)系險(xiǎn)類型都會(huì)對(duì)取決于機(jī)構(gòu)的任務(wù)和要求的費(fèi)用產(chǎn)生影響性指的是保護(hù)數(shù)據(jù)不向的者公開如果衛(wèi)生院的記錄數(shù)據(jù)因疏忽而被公開或者被果者修改了某些產(chǎn)品的定價(jià)信息或者刪除了全部的數(shù)據(jù)集機(jī)構(gòu)將會(huì)3_;~'`3h1為增加機(jī)構(gòu)安全狀況所執(zhí)行的每一種措施都會(huì)(正面或地)影響到這三種風(fēng)隨其后的潛在的機(jī)會(huì)成本機(jī)構(gòu)所的一個(gè)復(fù)雜的問題是怎樣在他們的潛在ITf.^#f)^!d;r&H(p)Q.KSourcesofrisktoinformationsecurityinclude,butarenotlimitedto,peopleorhardwarewithinoroutsidetheorganization(Figure2).Differentpreventivedefensivemeasures(Figure1)maybemoreeffectiveagainstaninsiderthreatthanathreatfromacomputerhacker.Additionally,anexternalthreatmayvaryinmotivation,whichcouldalsoindicatedifferentsecuritymeasures.Forexample,anintruderwhoistryingtoretrieveproprietarydataorcustomerdatabasesprobablyshouldbecombatedmuchdifferentlyfromanintruderwhoistryingtoshutdownanetwork.,F6|#G*v2}Potentialcostsduetoinformationsecuritythatanorganizationmayface(Figure2)includeopportunitycost,people,andthecostofpreventativedefensivemeasures.Significantopportunitycostsinclude:litigationdamages,lossofproprietarydata,consumerconfidence,lossofdirectrevenue,reconstructionofdata,andreconstructionofservices.Eachcostvariesbasedontheprofileoftheorganization.Forexample,ahealthcarecomponentoftheuniversitymighthaveagreaterpotentialforlossduetolitigationoravailabilityofpatientmedicalrecordsthanwithreconstructionofservices."t s/N ]8X(WAnorganizationcanevaluatepotentialopportunitycoststhroughariskysis.Riskscanbebrokendownintothreeriskcategories;ity,integrity,andavailability.Combined,thesecategoriesdefinetheorganization’ssecurityposture.Eachofthecategorieshasdifferentoncostdependingonthemissionandrequirementsoftheorganization.ityreferstotheprotectionofdatafromreleasetosourcesthatarenotauthorizedwithaccess.Ahealthcareorganizationcouldfacesignificantlitigationifhealthcarerecordswereinadvertentlyreleasedorstolen.Theintegrityofthedatareferstotheunalteredstateofthedata.Ifanintrudermodifiespricinginformationforcertainproductsordeletesentiredatasets,anorganizationwouldfacecostsassociatedwithcorrectingtransactionsaffectedbytheerroneousdata,thecostsassociatedwithreconstructingthecorrectvalues,andpossiblelossofconsumerconfidenceandrevenue.Finally,availabilityreferstoresourcesbeingavailabletoanauthorizeduser,includingbothdataandservices.Thisriskcanmanifestitselffinanciallyinasimilarmanner ityand*L7V~,n)F%L0Eachmeasureimplementedtoincreasethesecuritypostureofanorganizationwillimpacteachofthethreeriskcategories(eitherpositivelyornegatively).Aseachnewdefensivesecuritymeasureisimplemented,itwillchangethecurrentsecuritypostureandsubsequentlythepotentialopportunitycosts.AcomplicatedproblemfacedbyorganizationsishowtobalancetheirpotentialopportunitycostsagainsttheexpenseofsecuringtheirITinfrastructure(preventativedefensivemeasures).(@;h+{!J"K!o)O:j7\IT安全水平所需要的正確的政策和技術(shù)與系統(tǒng)管理員的培訓(xùn)等各項(xiàng)費(fèi)用一起極小化機(jī)會(huì)成本的各種預(yù)防性防御措施的最佳組合RiteOnIT一些據(jù)包含在附件中的表格A與表格B中。v+VEMs;E,N5F&{&s'p10個(gè)學(xué)術(shù)系，一個(gè)校際體育部，一個(gè)招生辦公室，一家書店，一個(gè)教務(wù)(成績(jī)和學(xué)術(shù)狀況管理)，一個(gè)可容納15,000名學(xué)生的綜合宿舍樓大學(xué)預(yù)期有600名職員和教（不包括IT支持人員）來完成日常的工作。學(xué)術(shù)系將21個(gè)計(jì)算機(jī)(每個(gè)30臺(tái)計(jì)算機(jī))600名職員和教員所使用的計(jì)算機(jī)(員一臺(tái)計(jì)算機(jī))。宿舍中的每個(gè)房間配備兩個(gè)可以高速接入校園網(wǎng)的接/WEB教務(wù)將一個(gè)WEB站點(diǎn)便于學(xué)生可以查詢情況和成績(jī)。另外，行政、學(xué)生健康中心和體育部也將各自一個(gè)B站點(diǎn)。3001個(gè)系統(tǒng)管理員（桌面支持）。另外，(WEB機(jī)或者數(shù)據(jù)管理系統(tǒng)的)1名系統(tǒng)管1IT機(jī)會(huì)成本的預(yù)測(cè).各種不同風(fēng)險(xiǎn)類型(C表示性、I表示完整性而A表示可用性)在給定成本中所占的1給出。2y/Q8F1^7k)f*H,Task1:YouhavebeentaskedbytheRite-OnConsultingFirmtodevelopamodelthatcanbeusedtodetermineanappropriateandthetechnologyenhancementsfortheproperlevelofITsecuritywithinanewuniversitycampus.Theimmediateneedistodetermineanoptimalmixofpreventivedefensivemeasuresthatminimizesthepotentialopportunitycostsalongwiththeprocurement,maintenance,andsystemadministratortrainingcostsastheyapplytotheopeningofanewprivateuniversity.Rite-OncontractedtechnicianstocollecttechnicalspecificationsoncurrentusedtosupportITsecurityprograms.DetailedtechnicaldatasheetsthatcatalogsomepossibledefensivemeasuresarecontainedinEnclosuresAandB.Thetechnicianpreparedthedatasheetsnotedthatasyoucombinedefensivemeasures,thecumulativeeffectswithinandbetweenthecategories ity,integrity,andavailabilitycannotjustbeadded..H(_-F%U'p(Q6c7z1D+@#Theproposeduniversitysystemhas10academicdepartments,adepartmentofintercollegiateathletics,anadmissionsoffice,abookstore,aregistrar’soffice(gradeandacademicstatusmanagement),andadormitorycomplexcapableofhousing15,000students.Theuniversityexpectstohave600staffandfaculty(nonITsupport)supportingthedailymission.Theacademicdepartmentswillmaintain21computerlabswith30computersperlab,and600staffandfacultycomputers(oneperemployee).Eachdormroomisequippedwithtwo(2)highspeedconnectionstotheuniversitynetwork.Itisanticipatedthateachstudentwillhaveacomputer.Thetotalcomputerrequirementsfortheremainingdepartment/agenciescannotbeanticipatedatthistime.ItisknownthatthebookstorewillhaveaWebsiteandtheabilitytosellbooksonline.TheRegistrar’sofficewillmaintainaWebsitewherestudentscancheckthestatusofpaymentsandgrades.Theadmissionsoffice,studenthealthcenter,andtheathleticdepartmentwillmaintainWebsites.Theaverageadministrativeemployeeearns$38,000peryearandtheaveragefacultyemployeeearns$77,000peryear.Currentindustrypracticeemploysthreetofoursystemadministrators(sysadmin)persub-networkandthereistypicallyone(1)sysadmin(helpdesksupport)employee300computers.Additionally,eachseparatesystemofcomputers(forwebhostingordatamanagement)istypicallymanagedbyone(1)sysadmin .8T-@%JH6i*hThecurrentopportunitycostprojection(duetoIT)withnodefensivemeasuresisshownin1.Thecontributionofvariousriskcategories( ityIntegrity,andAvailability)toagivencostisalsoshowninTable1.來確定其最初的IT安全系統(tǒng)并定期對(duì)它進(jìn)行更新。.M5x!i Q2Y)]8b:G任務(wù)3：為大學(xué)校長(zhǎng)準(zhǔn)備一個(gè)3頁(yè)左右的描述你在任務(wù)2中所建模型的么以及不應(yīng)該推斷什么。"p3p'B3Y0H任務(wù)4：如果你為一家提供WWW搜索引擎的商業(yè)公司(例如YahooAltaVista,…)IT安全模型，解釋兩者在初始風(fēng)險(xiǎn)類型貢獻(xiàn)方面(1)可能存在的差異。你為大學(xué)建立的模型同樣適用于這些商業(yè)性公司嗎？!S+D:|/w;fj%choneynet提出建議.(校注:HoneynetProject是一個(gè)由獻(xiàn)身于的安全專業(yè)人員的非性研究組織.它創(chuàng)建于1999年4月,其全部工作就是開放資源(OpenSource)并與安全界共享.)5m9Z5C9r%K9]#y任務(wù)6：要想成為一個(gè)IT安全咨詢方面的者，Rite-On咨詢公司必須能夠有效地預(yù)見到的未來發(fā)展方向并能夠向其他公司提出如何應(yīng)對(duì)未來風(fēng)險(xiǎn)的建議。在完成你的分析之后，為Rite-On咨詢公司的寫一份兩頁(yè)的備忘錄，的未來。另外，12和附錄12略]0D`8R7}$h9T+i9p26A.`;F!i4Q3k,U%Z/Task2:Weknowthattechnicalspecificationswillchangerapidlyovertime.However,therelationsandinteryamongcosts,riskcategories,andsourcesofriskwilltendtochangemoreslowly.CreateamodelfortheprobleminTask1thatisflexibleenoughtoadapttochangingtechnologicalcapabilitiesandcanbeappliedtodifferentorganizations.Carefullydescribetheassumptionsthatyoumakeindesigningthemodel.Inaddition,provideanexampleofhowtheuniversitywillbeabletouseyourmodeltoinitiallydetermineandthenperiodicallyupdatetheirITsecuritysystem.(u.h2o5m!G/c6Task3:Prepareathreepagepositionpapertotheuniversity