The main information you need to protect your organization's information is, for example, order details The company's expenditures employee salary information, password information network officer, etc. Where this information is located on the Database Server or other servers in the protection and security of data are related to the security of the computer hosting and networking. In addition to these important data. If hackers did something else that seems important, but rarely have the hackers can apply that information to improve performance in attack/control systems, resulting in more data, it should be to protect them as well. For example, a network diagram, model/brand of each device, data, name/surname date/month/year of birth of the employee and the officers do networking, etc. Control access to sensitive data from a distance would require risk assessment finds vulnerabilities and vulnerability protection, for example, found that the incidence of skipping through a rights monitoring SQL Injection, which can remove the hand in the Database have protected the XSS attacks can steal the Cookie/Session ID of the Webmaster, and then log on to the Web site with the permission of the Webmaster, Webmaster often manage information in the Database via the Web.In addition to protecting corporate information and need to protect customer data, such as customer credit card information in the Database of the website e-commerce. Various2.4 trainingThe training includes both a general and a baepoprom certificate (Certificate) in the section certificate exam with multiple can be divided as follows:The basics, CCSA, CWNA, i-Net +, Security +, CIW, CCSPA CCSE intermediate Security Analyst, CWSP. High level of Solaris 9 Security, CCSP, CCSE Plus, CCMSE, CISSP, SSCP.2.5 verification (Audit)The current auditor IS/IT Auditor or information system is a career that requires. Specialists working party examines party system development and operation. The information that a big problem is a shortage of information systems auditor. The world at the moment, many people still understand that "internal auditors" refers to "information systems auditor" say this isn't wrong, but it does not mean that the information system Auditors are divided into two categories: internal information system Auditor (Internal Auditor IS/IT) and not exposed to information system auditor.Yonok (IS IT/External Auditor), the difference is that the internal information system Auditors, it is the Organization's own staff do not come from people outside the normal internal information system auditor will audit department belongs. Internal information system which reports to Board of director is responsible for monitoring. The overall information system in the organization is free from the control of the party system.Free Information from the control or the CIO of best free system information from external auditor.Information or the control of the external information system auditor best CIO organizations often make hiring an external professional bodies (3rd Party Security Audit Firm) to act as auditor. Information system in the view of the people. The organization is also obvious differences is the professionalism and independence of the External Auditor summarized IT all IT says is IT Internal Auditor and External Auditor all play an important role in monitoring the Organization's information system, but it may be located in Yamaguchi and mommo different pages by Internal Auditor IT focuses. Check periodically in accordance with the annual audit schedule Mong the point to focus on the security of information system in the view of the expert yu tea. The data security model and techniques of investigation is divided into the following stages, level 3.Step 1: Best Practices Checklist or Interview TechniquesThis procedure is basic steps that should be made in the introduction to the first. Sometimes we prefer are called."Gap Analysis" ISO/IEC 27001-based Best Practice or CobiT Framework.Applied as a Checklist Audit to interview (Interview session) Verification at this stage focus on the PP (People and Process) In PPT (People, Process and Technology) said the Concept is to make information systems auditor. Understand the concept and awareness of information security management organization. Administrator. Information systems, as well as general computer user in the interview (Interview Schedule), which normally should not exceed 10 people, each person should not exceed 1 hour interview and make the information systems auditor is seen as Best Practice Information Security have led enterprise or corporate Framework in which financial organizations may not "Comply" in accordance with Best Practice in some topics cause organizations to be aware of their own weaknesses, as auditing guidelines in the next step.Step 2 Vulnerability Assessment TechniquesThis step focuses on monitoring, in view of the T (Technology) in PPT (People, Process and Technology) Concept is a deep technical review. An interview with Best Practices Checklist (in step 1), which will allow the auditor to have insights into the information system vulnerability (Vulnerability) or weakness of information systems that can be verified by using a Vulnerability Scanner such as Nessus (Opensource Scanner) failing to provide information administrators recognize and agree to. The problem caused by the vulnerability of a system that has not yet been resolved by should be presented in the form of a High level of Risk, risk, Medium Risk or a Low Risk, etc. Information technology auditor, it is necessary to have a basic knowledge of Information Security in one level and should have the skills to use the Vulnerability Scanner, which is regarded as a "Tool" or tools to verify that the required sop monitor using translations. Vulnerability Scanner results and present results in a format that is easy to understand the key points of the VA or Vulnerability Assessment, because if it is not interpreted as an anchor in accordance with SANS TOP 20 or OWASP Web Application Security Standard will make it an objective to refer to the international standard, so the translation of results from various standard Vulnerability Scanner should aid in presented in PowerPoint format that executives can easily understand. Visualize a problem that may occur on the system. The information clearly.
การแปล กรุณารอสักครู่..