一些名词不理解

lionelhua

在cccure.org下了一个ppt文档，里面讲Access control的，其中讲到\r\n\r\nProactive access control的时候，它列举了9条：\r\n\r\nAwareness training（这个应该理解成什么呢？？）\r\nBackground checks\r\nSeparation of duties\r\nSplit knowledge（为什么）\r\nPolicies\r\nData classification\r\nEffective user registration\r\nTermination procedures\r\nChange control procedures\r\n\r\n谢谢：）

zhuwm99

[QUOTE]最初由 lionelhua 发布\r\n[B]在cccure.org下了一个ppt文档，里面讲Access control的，其中讲到\r\n\r\nProactive access control的时候，它列举了9条：\r\n\r\nAwareness training（这个应该理解成什么呢？？）\r\n风险意识训练，通过培训，演习增强领导层或全体员工对的风险意识。\r\n\r\nBackground checks\r\nSeparation of duties\r\nSplit knowledge（为什么）\r\n???\r\n将知识分块，避免个人对系统知识超出其职责和权限？（不确定）\r\n\r\nPolicies\r\nData classification\r\nEffective user registration\r\nTermination procedures\r\nChange control procedures\r\n\r\n谢谢：）

omni

Awareness ...to focus attention on security\r\nTraining ...to produce relevant and needed security skills and competency\r\nsplit knowledge: 1. In secure communications, a condition under which two or more entities separately have key components that, individually, convey no knowledge of the resultant cryptographic key. [After X9.24] 2. Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams so that no one individual or team will know the whole data. [INFOSEC-99]

yfzhou72

同意omni的理解：\r\nsplit knowledge 应理解为：知识分块，以避免个人或一个小组掌握所有的信息的风险

lionelhua

呵呵，我怎么觉得有点象老子的“愚民”思想。

木林森

适当的分离才能有效控制，这是本质。

fred_yu

The escrowed encryption technology is a sample of split knowledge.