赞
踩
北邮国院大三电商在读,随课程进行整理知识点。仅整理PPT中相对重要的知识点,内容驳杂并不做期末突击复习用。个人认为相对不重要的细小的知识点不列在其中。如有错误请指出。转载请注明出处,祝您学习愉快。
编辑软件为Effie,如需要pdf/docx/effiesheet/markdown格式的文件请私信联系或微信联系
WEEK1
由于平台问题,重新导入md会自动生成新的文章,所以要看完整W1请移步
https://blog.csdn.net/qq_63759728/article/details/131098248?spm=1001.2014.3001.5502
以下是一些比较定义性的东西,所以基本都是PPT内容翻译。如果考试是类似电商法的case式考法,这些就不用背只需要了解,大概知道什么是什么,有话说就可以。如果有其他变化和新理解,后续会修改这段话
在Week1中,很难总结出像电商法那种很有逻辑的东西,换句话说,PPT给的信息冗杂且无用,阅读下来完全不像电商法那种分几大块去介绍的感觉,法条的占比被拉得很低,对于这个课的更多想法还要在观察一周的课程。Week1的东西就挑着背背吧,毕竟往年题还没有
Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber attacks
网络安全是技术、流程和控制的应用,以保护系统、网络、程序、设备和数据免受网络攻击
It aims to reduce the risk of cyber attacks, and protect against the unauthorised exploitation of systems, networks and technologies
它旨在降低网络攻击的风险,防止系统、网络和技术受到未经授权的利用
Three distinct elements: information security, privacy and data protection and cybercrime
三个不同的要素:信息安全、隐私和数据保护以及网络犯罪
Seeks to protect all information assets, whether in hard copy or in digital form
力求保护所有信息资产,无论是纸质副本还是数字形式
Information is one of the most valuable assets
信息是最有价值的资产之一
Good business practice
Digital revolution changed how people communicate and conduct business
数字革命改变了人们沟通和开展业务的方式
New possibilities & challenges
Data privacy are the regulations, or policies, that governs the use of my data when shared with any entity
数据隐私是指在与任何实体共享时管理我的数据使用的法规或政策
Data protection is the mechanism — that is, the tools and procedures — to enforce the policy and regulation, including the prevention of unauthorized access or misuse of the data that I agreed to share
数据保护是一种机制,即工具和程序,用于执行政策和法规,包括防止未经授权的访问或滥用我同意共享的数据
Privacy is an individual’s right to control the use and disclosure of their own personal information
隐私是个人控制使用和披露自己个人信息的权利
Information security is the process used to keep data private
信息安全是用来保持数据私密性的过程
Cybercrime is an act that violates the law, by using information and communication technology (ICT) to either target networks, systems, data, websites and/or technology or facilitate a crime
网络犯罪是一种违法行为,通过使用信息和通信技术(ICT)攻击网络、系统、数据、网站和/或技术,或为犯罪提供便利
Cybercrime knows no physical or geographic boundaries and can be conducted with less effort, greater ease, and at greater speed and scale than traditional crime
网络犯罪没有物理或地理的界限,与传统犯罪相比,可以更轻松、更轻松、更快、更大规模地进行
Growing number of devices
越来越多的设备
Every computer program, app or website are also software and software often has vulnerabilities
每一个电脑程序,应用程序或网站也是软件,软件往往有漏洞
A virtualized information technology infrastructure (cloud services)
虚拟化的信息技术基础设施(云服务)
Increasing number, scope and complexity of legal obligations in relation to information security, privacy and data protection, different approaches
与信息安全、隐私和数据保护有关的法律义务的数量、范围和复杂性不断增加,方法也有所不同
Different legal systems between countries, variations in national cybercrime laws, differences in the rules of evidence and criminal procedure, applicability of international treaties
各国法律体系不同,各国网络犯罪法律的差异,证据规则和刑事诉讼规则的差异,国际条约的适用性
With the advent of new technologies (e.g., Internet of Things, drones, robots, self-driving cars), new cybercrime trends will be identified and therefore new information security and privacy measures will need to be developed
随着新技术(如物联网、无人机、机器人、自动驾驶汽车)的出现,将发现新的网络犯罪趋势,因此需要制定新的信息安全和隐私措施
Cyber attacks may involve:
Processes, procedures and infrastructure to preserve:
Confidentiality means that only people with the right permission can access and use information
保密性意味着只有获得正确许可的人才能访问和使用信息
Protecting information from unauthorised access at all stages of its life cycle
保护信息在其生命周期的所有阶段不受未经授权的访问
Information must be created, used, stored, transmitted, and destroyed in ways that protect its confidentiality
信息的创建、使用、存储、传输和销毁必须以保护其保密性的方式进行
Ensuring confidentiality – encryption, access controls
确保机密性-加密,访问控制
Compromising confidentiality – (intentional) shoulder surfing, social engineering; (accidental) publication
泄露机密——(有意的)肩窥,社会工程;(偶然的)公之于众
It may result in identity theft, threats to public safety
这可能会导致身份盗窃,威胁公共安全
Integrity means that information systems and their data are accurate
完整性意味着信息系统及其数据是准确的
Changes cannot be made to data without appropriate permission
没有适当的许可,不能对数据进行更改
Ensuring integrity – controls ensuring the correct entry of information, authorization, antivirus
确保完整性-控制确保信息、授权、防病毒的正确输入
Compromising integrity – (intentional) employee or external attacks; (accidental) employee error
损害诚信——(故意的)员工或外部攻击;(偶然的)员工失误
Specific to integrity and confidentiality considerations
具体到完整性和保密性的考虑
Ensuring that a machine or person is that which they purport to be
确保机器或人是他们所宣称的样子
In analogue world, signatures, handwriting, in person attestation, witnesses, notary public, etc.
在模拟世界中,签名、笔迹、亲自认证、证人、公证人等。
In digital world, may not only be a person but also machine we are seeking to authenticate
在数字世界中,我们要验证的可能不仅是人,还有机器
Availability is the security goal of making sure information systems are reliable
可用性是确保信息系统可靠的安全目标
Data is accessible
数据是可访问的
Individuals with proper permission can use systems and retrieve data in a dependable and timely manner
获得适当许可的个人可以可靠和及时地使用系统和检索数据
Ensuring availability – recovery plans, backup systems
确保可用性-恢复计划,备份系统
Compromising availability – (intentional) denial of service (DoS) attack, (accidental) outage
影响可用性-(故意的)拒绝服务(DoS)攻击,(意外的)停机
Risk management as means to justify information security laws
风险管理作为证明信息安全法律合理性的手段
= process of listing the risks that an organization faces and taking steps to control them
列出组织面临的风险并采取措施控制这些风险的过程
Successful attacks take place when vulnerability is exploited
当漏洞被利用时,就会发生成功的攻击
People
Process
Facility 设备
Technology
Anything that can cause harm to an information system – successful exploits of vulnerabilities
任何可能对信息系统造成伤害的东西——成功地利用漏洞
An organization does not have sufficient controls to prevent an employee from deleting critical computer files (lack of controls – vulnerability). An employee could delete files by mistake (employee – source of threat) (deleting critical files – threat). If the files are deleted, successful exploit of the vulnerability has taken place. If the file is not recoverable, the incident harms the organizations and its security. Availability is compromised.
组织没有足够的控制来防止员工删除关键的计算机文件(缺乏控制-漏洞)。员工可能误删文件(员工-威胁来源)(删除关键文件-威胁)。如果文件被删除,则表明该漏洞已被成功利用。如果文件不可恢复,则该事件将损害组织及其安全。可用性受到影响。
【简而言之,threat是利用了vulnerability达到的结果,是一个“事件”,而vulnerability是可以利用的漏洞,是一个“东西”】
Human
Natural
Technology and operational
Physical and environmental
a likelihood that a threat will exploit a vulnerability and cause harm, where the harm is the impact to organization
威胁利用漏洞并造成危害的可能性,其中危害是对组织的影响
** Risk = vulnerability + threat **
Risks can occur at any layer of the information system:
Risk analysis and management to classify and respond to risks
风险分析和管理,对风险进行分类和应对
Probability a threat will exploit a vulnerability – high, medium, low
威胁利用漏洞的概率-高,中,低
Information security impact – loss of confidentiality, integrity and availability
信息安全影响-机密性、完整性和可用性的损失
Other impacts – loss of life, productivity or profit, property and reputation
其他影响-生命、生产力或利润、财产和声誉的损失
Assessment of impact – address risks that have large impact on information security
影响评估-解决对信息安全有重大影响的风险
Types of responses: risk avoidance, risk mitigation, risk transfer, risk acceptance
反应类型:风险规避、风险缓解、风险转移、风险接受
safeguard reduces the harm posed by information security vulnerabilities or threats
保障措施降低信息安全漏洞或威胁带来的危害
Safeguards can be put in place at all layers of the system:
No single information security law – no single definition
没有单一的信息安全法律,没有单一的定义
Different potential sources of liability: statutes, regulations, contracts, organizational governance, voluntary organizations, private law tort
不同的潜在责任来源:法规、规章、合同、组织治理、自愿组织、私法侵权
Different kinds of information often sought to be protected:
No such thing as perfect information security 没有完美的信息安全
Tort law
Contract Law
Sector regulators are increasingly auditing companies for their information security management and also issuing ‘regulatory guidance’ or ‘best practice advisories’ on information security
行业监管机构越来越多地对公司的信息安全管理进行审计,并发布关于信息安全的“监管指导”或“最佳实践建议”
Emerging guidance in form of ‘standards’
以“标准”形式出现的指导
These standards determine how to comply with a legal duty or self-imposedobligation for adequate/reasonable/appropriate information security
这些标准确定如何遵守充分/合理/适当的信息安全的法定义务或自我强制义务
都是一些例子,直接看图得了
These legal obligations specify a duty:
这些法律义务规定了一种义务:
They don’t usually give specific guidance as to what that means or how it is to be accomplished
他们通常不会给出具体的指导,说明这意味着什么或如何实现
The duty to keep information secure is not further specified in the statutes
保护信息安全的义务在法规中没有进一步规定
The GDPR indicates: ‘Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.’
GDPR指出:“考虑到技术水平和实施成本,此类措施应确保与处理所代表的风险和被保护数据的性质相适应的安全水平。”
A cost/risk analysis qualifies an appropriate level of security
成本/风险分析确定了适当的安全级别
【上面这些东西确实没有一条主逻辑链,所以ppt很乱,我整理的也很乱,将就看吧,也没啥内容】
It might potentially include any device that has the ability to communicate
它可能包括任何具有通信能力的设备
接下来要谈的是EU的information security相关问题
【为什么把conclusion放前面,因为PPT的东西太乱了,conclusion给的应该都是重点,带着这些重点再往后看】
Organisations that decide to collect and process personal data for their own purposes are known as controllers
决定为自己的目的收集和处理个人数据的组织被称为控制者
A controller may engage a service provider or processor to process personal data on behalf of the controller
控制者可以聘请服务提供者或处理者代表控制者处理个人数据
A processor is an individual or legal person or other body that processes personal data on behalf of the controller
处理者是指代表控制者处理个人数据的个人、法人或其他团体
The GDPR regulates the processing of personal data
GDPR规范了个人数据的处理
Personal data is any information relating to an identified or identifiable natural person (‘data subject’)
个人数据是指与已识别或可识别自然人(“数据主体”)有关的任何信息。
Identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
可识别自然人是指可以直接或间接识别的自然人,特别是通过参考一个标识符,如姓名、识别号码、位置数据、在线标识符,或参考该自然人的身体、生理、遗传、心理、经济、文化或社会身份的一个或多个特定因素
Relates to living individuals only
只涉及活着的个人
Special categories of personal data is subject to a stricter regime
特殊类别的个人资料受到更严格的制度管制
Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
数据泄露是指违反安全导致意外或非法破坏、丢失、更改、未经授权披露或访问个人数据
When a personal data breach has occurred, organisations need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms
当发生个人数据泄露时,组织需要确定由此对人们的权利和自由造成风险的可能性和严重程度
The adverse affect of a security incident on individuals may include emotional distress, and physical and material damage
安全事件对个人的不利影响可能包括情绪困扰、身体和物质损害
GDPR Article 28 states that controllers must include in contracts with processors
GDPR第28条规定,控制者必须在与处理者的合同中包括
NIS Directive 2 regulates the cybersecurity of critical national infrastructure, and updates the previous version
NIS指令2规范了关键国家基础设施的网络安全,并更新了之前的版本
It applies to providers of critical national infrastructure (CNI):
它适用于关键国家基础设施(CNI)的提供商:
Operators of essential services (OES) provide a listed service in one of seven critical infrastructure sectors, and energy, transport, banking, financial markets, health, drinking water, and digital infrastructure
基本服务(OES)运营商在能源、交通、银行、金融市场、卫生、饮用水和数字基础设施等七个关键基础设施领域之一提供所列服务
they operate on such a scale that their service is “essential for the maintenance of critical societal and economic activities”
它们的运作规模如此之大,以至于它们的服务“对于维持关键的社会和经济活动至关重要”。
Digital service is a new subset of the category of service known as ‘information society services’ which is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services
数字服务是被称为“信息社会服务”的服务类别的一个新子集,它是指通常通过电子手段并应服务接受者的个人要求提供的有偿服务
Digital service providers (DSPs) are: 数码服务供应商包括:
A private law mechanism
私法机制
Data controllers can be held liable under the tort of negligence for damages caused by cybersecurity incidents that they should have reasonably foreseen and prevented or mitigated
根据过失侵权法,数据控制者可能对他们本应合理预见、预防或减轻的网络安全事件造成的损害承担责任
To hold data controllers liable, a court would have to find that (i) the operator had a duty of care to the person(s) who suffered harm which (ii) the operator failed to fulfil
为了让数据控制者承担责任,法院必须认定(i)运营者对遭受伤害的人负有注意义务,而(ii)运营者未能履行
Duty – breach – causation – harm
义务-违约-因果-损害
A duty of care may arise from:
There must be a proximity between the parties for a duty of care to exist
为了注意义务的存在,当事人之间必须有接近性
Foreseeability means that a person can be held liable only when they should reasonably have foreseen that their negligent act would imperil others
可预见性意味着只有当一个人合理地预见到自己的过失行为会危及他人时,他才能承担责任
Damage needs to be proven by claimants – economic loss or emotional harm
损害需要由索赔人证明——经济损失或精神伤害
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。