5 nguyên tắc quản lý rủi ro cho nhà quản lý an toàn thông tin

Mmmjtnc qugn<br /> <br /> <br /> <br /> DAT VAN DE<br /> Ngay nay, phdn Idn cac doanh nghiep deu phu td thit hai. Trong khi dd, cac nha quan ly, dac biet la<br /> thupc vao cac ben thii ba vdi miic dp khac nhau, ddi vdi cac cdng ty Idn thudng khdng danh gia dupc<br /> thuc td nay cang trd nen ro rang hon khi cac doanh day dii ve nhfmg hau qud gay ra khi ben thii ba lam<br /> nghiep chuyen ddi sang cac dich vu dua tren dam rd ri dfl lieu, didu dd tham chi cdn lam rdi loan hoat<br /> may. Thdng thudng, dd cung cap mdt san pham hay ddng hang ngay cua doanh nghiep, tao ra nhflng Id<br /> dich vu hieu qua hon, nhfing ben thii ba se yeu hdng dft Ueu dd tm tac tan cdng.<br /> cdu cung cap hay tmy nhap mpt phdn thdng tin bi<br /> Thach thitc vdi cac doanh nghiep la lam the nao<br /> mat cua doanh nghiep va /hoac cua khach hang.<br /> dd bao ve dii lieu trong khi khi ho khdng cd dii<br /> Do dd, viec quan ly va dam bao tinh an toan cho<br /> cdng cu de giam sat cac hoat ddng hdng ngay. Thuc<br /> dft lieu trong sudt qua<br /> te, viec gifi dfl Ueu "an<br /> trinh boat ddng ciia<br /> toan" la rdt khd, bdi<br /> doanh nghiep la mdt<br /> don gian vi mpi ngudi<br /> thach thiic Idn ddi vdi<br /> cdn phai sir dung nd<br /> cac lanh dao an toan<br /> thudng xuyen nen dft<br /> thdng tin.<br /> Ueu se khdng an toan.<br /> Cac chuong trinh Dac biet, khi cd them<br /> quan ly ciia nha cung su xuat hien ciia ddi tac<br /> cdp tmydn thdng thu ba dfl lieu cang it<br /> thudng dat khd nang an toan hon.<br /> phan phdi len hang ddu<br /> Cac doanh nghiep<br /> cdn vdn de bdo mat dii<br /> cd nhieu each tidp can<br /> Ueu chi dupc coi la ydu<br /> khac nhau de quan Iy<br /> <br /> <br /> TAP CHI CNTT&TT KY 2 (2.2011) |ll<br />  AN TOAN - BAO MAT<br /> <br /> sat cac san pham hoac dich vu do cac ben thii ba<br /> cung cap. Ngudi nay, cd the vdi su ttp 0iip cua ngudi<br /> Lanh dao an toan thdng tin (CISC)<br /> cd vai trd quan trong trong viec khac, se phai chiu trach nhiem cu the va true tiep<br /> giam bdt rui ro cua viec chia se dii trong viec qudn ly ben thir ba, bao gdm bat ky thiet<br /> lieu nhay cam cua doanh nghiep vdi hai nao do sai sdt ciia ben thii ba gay ra, nhdm bdo<br /> cac ddi tac thii ba. ve trpn ven dti lieu dupc cung cap cho hp.<br /> Do vay, trach nhiem dau hen ciia CISO la dam<br /> bao rdng doanh nghiep cd mdt quy trinh thuc hien<br /> nha cung cap (ben thir ba) nhu hpp ddng phan chia<br /> khi chia se dii Ueu vdi cac ben thii ba, de dam bao<br /> va quan ly nha cung cap giita cac bd phan va cac<br /> rdng mdi ben thu: ba se cd mpt ngudi quan ly mdi<br /> don vi tuong img hay sir dung md hinh phan cap,<br /> quan he Uen quan (TPRM - Third party relationship<br /> phan phdi theo cac bp phan khac nhau trong doanh<br /> manager).<br /> nghiep. Tuy nhien, cho dii sir dung md huih nao,<br /> cac doanh nghiep can dam bdo cac van de quan Do dd viec an dinh mdt TPRM la can thidt, tuy<br /> tri lien quan ddn bao mat dft Ueu. Bai viet dua ra 5 nhien cac CISO ciing cdn phai xem xet va gidi quyet<br /> nguyen tdc quan ly nil ro ve an ninh thdng tin trong mdt xung dot kiu thuc hien viec nay. Gia dinh rdng<br /> viec quan ly cac ben thu ba, va md ta mpt sd chien doanh nghiep mudn thue hay sir diing mdt ben thir<br /> lupc CO ban de giam bdt nii ro trong viec chia se ba dd dap img nhu cau boat ddng cua minh, de<br /> thdng tin bi mat ciia doanh nghiep. Trong dd, CISC quan tri tdt thi neu chi dn dinh TPRM la chua dii.<br /> ddng vai trd quan trpng, giiip dam bdo tinh an toan Trong thuc td, ly do hay can cir nao dd cac doanh<br /> ciia dfl Ueu khi chia se vdi cac ben thu ba. nghiep thuc su tin tudng cac ben thu: ba, va yen<br /> tam vd nhiing dfi lieu cung cap cho hp. Day la ly<br /> 5 NGUYEN TAC QUAN LY R U I RO K H I do tai sao trach nhiem cua TPRM la rat quan trpng,<br /> CHIA SE D Q L I E U V O I BEN THLf BA bdi cd the TPRM bi ben thii mua chupc. Do dd, vai<br /> trd cua CISO la dam bao rdng cac TPRM thuc hien<br /> Quyen sd hu'u<br /> cac hop ddng, tham dfnh, quan ly va quy trinh giam<br /> Vdn de qudn trf ddu tien va quan trpng nhat la<br /> sdt ben thir ba nghiem<br /> quyen sd hflu. Bat ke<br /> •• "— ""••'•"'''" tiic va chu ddng.<br /> ky kdt hpp ddng hay<br /> Cac dieu khoan hdp<br /> tidn hanh tham dinh<br /> dong<br /> Uen quan nao thi yeu<br /> td quan trong hang ddu Khi quydn sd hflu<br /> la: Ai la ngudi chiu trach da dupc xac dinh ro<br /> nhiem cu the cho mdi rang, van de tidp theo<br /> quan he hpp tac, rd rang la CISO cdn dam bdo<br /> dd khdng phdi la mpt bd giai quyet cac vudng<br /> phan, phdng ban hoac mde tmdc khi ky ket<br /> mdt nhdm nha cung cap hop ddng va trao ddi<br /> ma la mdt ngudi. Trong dfi lieu.<br /> moi tmdng hop, ngudi Van de ddu tten la<br /> dd se ndm trong don vi tai sao? Tai sao cdc<br /> kinh doanh hoac sdn ben thii ba can dfi lieu<br /> xudt ma tmc tidp giam nay? Nd cd cdn thiet<br /> <br /> <br /> 12 I TAP CHI CNTT & TT KY 2 (2.2011)<br />  AN TOAN - BAO MAT<br /> <br /> <br /> <br /> <br /> vdi hp dd cung cap san pham hoac dich vu gi? Hp Tuy nhien, cudi cung, doanh nghiep can phai luu y<br /> cdn tdt ca dir Ueu dd hay chi mdt phdn? Cudi ciing, rdng trong khi cac quy dinh nay tdn tai (it nhat tren<br /> bd phan kinh doanh lien quan cdn phdi tim hidu ly thuydt) dd ngan chan mpt su cd, thuc td la chung<br /> xem tai sao dfl Ueu dd la bdt budc ddi vdi cac san chu yeu tdn tai dudi dang quyen tmy ddi. Viec ngan<br /> phdm hay dfeh vu ciia ben thii ba. Trong linh vuc chan su cd thuc te se dupc thuc hien thdng qua<br /> nay, CISO dupc xem nhu la mdt chuyen gia tu van thdm dinh ddu tu toan dien, thidt lap tich cue va cac<br /> trong cac cudc thdo luan xung quanh nhflng tuy dieu khoan qudn ly va giam sat hieu qua.<br /> chpn tdn tai vd viec giam loai va lupng dfl lieu dupc Ra s c a t t o n g t h e ( t h a m d i n h dau tu')<br /> cung cap.<br /> Cac doanh nghiep cdn phai than trong trong viec<br /> Thuc te, nhidu ngudi thudng xem dfl lieu (tham chi danh gia va quan ly cac ben thir ba khi thuc hien<br /> dfi Ueu rdt bi mat) nhu mdt yeu td cdn thief cho boat chia se dfi Ueu. Khi tten hanh tham dinh dau tu<br /> ddng cua doanh nghiep, gidng nhu vien gach dd ben thir ba, viec thu thap thdng tin nao khdng quan<br /> xay dung, chir khdng phai la tai san doanh nghiep trpng bdng viec xir ly thdng tm dd nhu the nao.<br /> cd gia tn va rat nhay cam. Do dd, vd cac dieu khoan Vdi sir dinh hudng va/hoac tro giiip cua CISO,<br /> hpp ddng cd mpt sd van dd CISO can phdi ddm bao, doanh nghiep cdn tim hieu va ndm dupc each thiic<br /> bao gdm bat ky dd Ueu bi mat se dupc trao ddi: ma ben thir ba luu trii, quan ly va bao ve cac dd lieu<br /> - Ngdn ngfl bao mat tieu chuan tuong ximg vdi bi mat ma hp dang cd, hoac se dupc chia se d dau<br /> mirc dp thdng tin chia se dd? Ai se cd quydn tmy cap? Viec cdp va thu hdi<br /> - Cung cap "quyen kiem tra" dua vao kiem soat quydn tmy cap nhu the nao?<br /> ndi bd he thdng cua ben thii ba Ngoai ra, doanh nghiep cdng nen cd mpt co che<br /> - Cac thda thuan cap dfeh vu rd rang trong tmdng dd phan loai dft lieu se dupc chia se. Loai thdng tin<br /> hpp cd vi pham tinh an toan du lieu se bao gdm? Miic dd nhay cam la gi? Thdng tin nao<br /> - Trach nhiem tai chinh bao gdm cd chi phi Uen se dupc chia se va miic dd chia se, v.v...? Dieu nay<br /> quan ddi vdi mdt hanh vi vi pham dd Ueu tao ra mdt co sd de doanh nghiep qudn ly du lieu.<br /> <br /> <br /> <br /> <br /> TAP CHI CNTT&TT KY 2 ( 2 . 2 0 1 1 ) 13<br />  AN TOAN - BAO MAT<br /> <br /> <br /> <br /> nhdm danh gia miic dp riu ro khi chia se dfi Ueu. trinh dupc dat ra de giam sat cac ben thii ba can cd<br /> Mpt van de khac ma doanh nghiep thudng bd qua nhfing thay ddi de phu hpp vdi cdc yeu cdu mdi.<br /> la buy dfl lieu: khi nao va nhu the nao? Sau khi da Lfng pho sU co<br /> sir dung xong, lam the nao dd chimg td ben thu ba Ung phd su cd la mdt yeu cau bdt budc ddi vdi cac<br /> da thuc su hiiy dfl Ueu va hau qua gi se xay ra ndu doanh nghiep. Do dd de dap img tdt khi xay ra su<br /> dft Ueu khdng bf huy hoan toan? Day la mpt thach cd, doanh nghiep can xay dung cac kich ban xam<br /> thiic ddi vdi cac doanh nghiep ndi chung va CISO pham dfi Ueu va each thiic giai quydt khi chimg xay<br /> ndi rieng. ra, tir dd dua ra cac quy trinh thiic hien de ddp img<br /> Cudi cimg, khi thuc hien qua trinh tham dinh ben nhanh chdng va tdt nhat cd the..<br /> thii ba, doanh nghiep can xay dimg mpt hd so nil Ngodi ra, trong mdi hpp ddng ciia doanh nghiep<br /> ro ddi vdi tat ca cac ben thii ba, bao gdm viec danh vol ben thu ba phai can cd mdt dieu khoan vd yeu<br /> gia nii ro dira vao loai va lupng dfi lieu dupc chia se. cdu thdng bao trong tmdng hpp xay ra rd ri dti lieu,<br /> Didu nay cho phep doanh nghiep tranh tap tmng tai trong dd cu the vd ngay gid, tham chi la ca phut. Cac<br /> nguyen va ngudn luc ciia minh vao ben thu ba ma CISO cdn dam bdo rdng ddi vdi doanh nghiep ciia<br /> cd nil ro cao nhat nhat, ddng thdi cung cap mpt co hp va cac ben thii ba cd mpt thdng bao su cd nay se<br /> sd phap ly de tham chieu khi ben thit ba hoac cac dupc gin tdi chinh xac tat ca nhflng ngudi lien quan<br /> didu khoan ciia hpp ddng thay ddi. va nhfmg ngudi se chiu trach nhiem trong viec thitc<br /> Giam sat hien mpt ke hoach giai quyet.<br /> Giam sat va img phd su cd la mdt thach thuc Idn Va mpt van de nfla la doanh nghiep can didu tra<br /> ddi vdi cac nha quan ly doanh nghiep. Mac dii viec hay xem xet lai viec rd ri hay vi pham dft Ueu de xac<br /> giam sat cac ben thu ba thudng gap nhidu han che, dmh xem trach nhiem thudc vd ben nao va thief hai<br /> cd mpt sd van de ma CISO can dam bao giai quydt ra sao. Neu viec rd ri chi trong ndi bd khdng gay<br /> tdt. Ddu tien la nhflng thay ddi ndi bp. Day thudng thiet hai gi thi cd the chi xir ly dudi hinh thirc xir<br /> la mdt thay ddi ve pham vi hop ddng, trong dd yeu phat hanh chinh, cdn neu d muc dp nghiem trpng<br /> cdu su thay ddi ve sd lupng, dp nhay cam hay tdn hon cd the ddi hdi su can thiep cua phap luat.<br /> xuat ciia dii lieu dang dupc trao ddi. Trong tmdng<br /> hop nay phai cd mdt quy trinh dd kidm tra lai hd so KET L U A N<br /> nil ro dua tren cac yeu cau dd Ueu mdi, va ndu xay Thuc td cho thay phdn Idn cac doanh nghiep chi<br /> ra su thay ddi ve chat cdn tien hanh va hoan thanh thu thap thdng tin ca ban vd ben thii ba ma hp se<br /> mdt phan tich danh gia riu ro mdi. trao ddi dfl Ueu bi mat, vdi tiep can qua loa khi phan<br /> Ndu khdng, tiic la doanh nghiep ban cd the dang tich thdng tin dd ma khdng thuc hien cac budc thdm<br /> ap dung cac quy tdc cfi cho mpt linh vuc mdi khac dinh tdi thieu, do dd ddn den viec rd ri hay vi pham<br /> khdng phu hpp. Va rd rang dieu nay se bao gdm dd Ueu . Do dd CISO cd nhiem vii quan trpng la dam<br /> ca nhflng thay ddi ddi vdi ban than cac ben thii ba bao rdng tat ca cac he thdng va dieu khoan dupc dat<br /> nhu tai CO cau doanh nghiep, mua lai doanh nghiep, ra dd dam bao cac ben thii ba tuan thu chat che cac<br /> chuyen ddi nganh nghe kinh doanh mdi, v.v... Mdi chinh sach an nmh thdng tin theo quy dinh.<br /> yeu td nay cd the cd tac dpng tdi cac dieu khodn Vdn .4 nil. Thiiy Diep<br /> ndi bd Uen quan den viec bao ve dfl lieu, va CISO<br /> (Theo: Information Security Magazine,<br /> cd trach nhiem dam bao rdng cac he thdng hay quy<br /> DECEMBER 2010/JANUARY 2011)<br /> <br /> <br /> <br /> 14 I TAP CHI CNTT & TT KY 2 (2.2011)<br />