Thông tin bảo mật là một quá trình chủ động để quản lý rủi ro. Không giống như một mô hình phản ứng trong đó một tổ chức kinh nghiệm của một sự việc trước khi tiến hành các bước để bảo vệ tài nguyên thông tin của nó, mô hình chủ động tiến hành các bước trước khi xảy ra các vi phạm một. | CHAPTER 7 Information Security Process Copyright 2001 The McGraw-Hill Companies Inc. Click Here for Terms of Use. 93 94 Network Security A Beginner s Guide Information security is a proactive process to manage risk. Unlike a reactive model in which an organization experiences an incident before taking steps to protect its information resources the proactive model takes steps prior to the occurrence of a breach. In the reactive model the total cost of security is unknown Total Cost of Security Cost of the Incident Cost of Countermeasures Unfortunately the cost of an incident is unknown until it actually occurs. Since the organization has taken no steps before the incident has occurred there is no way to know what the cost of an incident might be. Therefore the risk to the organization is unknown until an incident has occurred. Fortunately organizations can reduce the cost of information security. Proper planning and risk management will drastically reduce if not eliminate the cost of an incident. If the organization had taken the proper steps before the incident occurred and the incident were prevented the cost would have been Cost of Information Security Cost of Countermeasures Note also that Cost of the Incident Cost of Countermeasures Cost of Countermeasures Taking the proper steps before an incident occurs is a proactive approach to information security. In this case the organization identifies its vulnerabilities and determines the risk to the organization if an incident were to occur. The organization can now choose countermeasures that are cost-effective. This is the first step in the process of information security. The process of information security see Figure 7-1 is a continual process comprised of five key phases Assessment Policy Implementation Training Audit Individually each phase does bring value to an organization however only when taken together will they provide the foundation upon which an organization can effectively manage the risk of an .