Continuous Improvement

Continuous Improvement

持续改进

Risk analysis is performed to provide upper management with the details necessary to decide which risks should be mitigated, which should be transferred, which should be deterred,which should be avoided, and which should be accepted. The result is a cost/ benefit comparison between the expected cost of asset loss and the cost of deploying safeguards against threats and vulnerabilities. Risk analysis identifies risks, quantifies the impact of threats, and aids in budgeting for security. It helps integrate the needs and objectives of the security policy with the organization’s business goals and intentions. The risk analysis/risk assessment is a “point in time” metric. Threats and vulnerabilities constantly change, and the risk assessment needs to be redone periodically in order to support continuous improvement.

进行风险分析是为了向高层管理人员提供必要的细节，以决定哪些风险应予以减轻、哪些应予以转移、哪些应予以阻止、哪些应予以避免、哪些应予以接受。其结果是对资产损失的预期成本与针对威胁和脆弱性部署保障措施的成本进行成本/效益比较。风险分析可以识别风险，量化威胁的影响，并帮助编制安全预算。它有助于将安全政策的需求和目标与组织的业务目标和意图相结合。风险分析/风险评估是一种 "时间点 "衡量标准。威胁和漏洞会不断变化，因此需要定期重新进行风险评估，以支持持续改进。

Security is always changing. Thus, any implemented security solution requires updates and changes over time. If a continuous improvement path is not provided by a selected countermeasure, it should be replaced with one that offers scalable improvements to security.

安全总是不断变化的。因此，任何已实施的安全解决方案都需要随着时间的推移进行更新和更改。如果所选对策不能提供持续改进的途径，则应将其替换为可对安全进行扩展改进的对策。

An enterprise risk management (ERM) program can be evaluated using the Risk Maturity Model (RMM). An RMM assess the key indicators and activities of a mature, sustainable,and repeatable risk management process. There are several RMM systems, each prescribing various means to achieve greater risk management capability. They generally relate the assessment of risk maturity against a five-level model (similar to that of the Capability Maturity Model [CMM]; see Chapter 20, “Software Development Security”). The typical RMM levels are as follows:

企业风险管理（ERM）计划可以使用风险成熟度模型（RMM）进行评估。RMM 评估成熟、可持续和可重复的风险管理流程的关键指标和活动。有几种 RMM 系统，每一种都规定了实现更强风险管理能力的各种方法。它们一般都是根据一个五级模型（类似于能力成熟度模型 [CMM]；见第 20 章 "软件开发安全"）来评估风险成熟度。典型的 RMM 级别如下：An enterprise risk management (ERM) program can be evaluated using the Risk Maturity Model (RMM). An RMM assess the key indicators and activities of a mature, sustainable,and repeatable risk management process. There are several RMM systems, each prescribing various means to achieve greater risk management capability. They generally relate the assessment of risk maturity against a five-level model (similar to that of the Capability Maturity Model [CMM]; see Chapter 20, “Software Development Security”). The typical RMM levels are as follows:

1. Ad hoc—A chaotic starting point from which all organizations initiate risk management.

   临时--所有组织启动风险管理的混乱起点。

2. Preliminary—Loose attempts are made to follow risk management processes, but each department may perform risk assessment uniquely.

   初步尝试--粗略尝试遵循风险管理流程，但每个部门都可以进行独特的风险评估。

3. Defined—A common or standardized risk framework is adopted organization-wide.

   定义级--在全组织范围内采用共同或标准化的风险框架。

4. Integrated—Risk management operations are integrated into business processes, metrics are used to gather effectiveness data, and risk is considered an element in business strategy decisions.

   综合/管理级--风险管理业务已纳入业务流程，使用衡量标准来收集有效性数据，并将风险视为业务战略决策的一个要素。

5. Optimized—Risk management focuses on achieving objectives rather than just reacting to external threats; increased strategic planning is geared toward business success rather than just avoiding incidents; and lessons learned are reintegrated into the risk management process.

   优化级--风险管理的重点是实现目标，而不仅仅是对外部威胁做出反应；加强战略规划，以业务成功为目标，而不仅仅是避免事故发生；将吸取的经验教训重新纳入风险管理流程。

   
   

If you have an interest in learning more about RMM, there is an interesting study of numerous RMM sysems and the attempt to derive a generic RMM from the common elements. See “Developing a generic risk maturity model (GRMM) for evaluating risk management in construction projects” at www.tandfonline.com/doi/full/10.1080/13669877.2019.1646309.

如果您有兴趣了解更多关于 RMM 的信息，有一项关于众多 RMM 系统的有趣研究，以及从共同要素中推导出通用 RMM 的尝试。请参阅 www.tandfonline.com/doi/full/10.1080/13669877.2019.1646309 上的 "开发通用风险成熟度模型 (GRMM)，用于评估建筑项目的风险管理"。

An often-overlooked area of risk is that of legacy devices, which may be EOL and/or EOSL:一个经常被忽视的风险领域是旧设备的风险，这些设备可能是 EOL 和/或 EOSL：

■ End-of-life (EOL) is the point at which a manufacturer no longer produces a product. Service and support may continue for a period of time after EOL, but no new versions will be made available for sale or distribution. An EOL product should be scheduled for replacement before it fails or reaches end-of-support (EOS) or end-of-service life (EOSL).

报废（EOL）是指制造商不再生产产品的时间点。在 EOL 之后，服务和支持可能会持续一段时间，但不会再有新版本可供销售或分发。EOL 产品应在出现故障或达到支持终止 (EOS) 或服务寿命终止 (EOSL) 之前安排更换。

■ EOL is sometimes perceived or used as the equivalent of EOSL. End-of-service-life(EOSL) or end-of-support (EOS) are those systems that are no longer receiving updates and support from the vendor. If an organization continues to use an EOSL system, then the risk of compromise is high because any future exploitation will never be patched or fixed. It is of utmost importance to move off EOSL systems in order to maintain a secure environment. It might not seem initially cost-effective or practical to move away from a solution that still works just because the vendor has terminated support. However, the security management efforts you will expend will likely far exceed the cost of developing and deploying a modern system–based replacement. For example, Adobe Flash Player reached its EOSL on December 31, 2020, and should be uninstalled, as recommended by Adobe.

EOL 有时被视为或等同于 EOSL。服务寿命终止（EOSL）或支持终止（EOS）是指那些不再接受供应商更新和支持的系统。如果一个组织继续使用 EOSL 系统，那么系统被入侵的风险就会很高，因为将来任何利用系统的行为都不会得到修补或修复。为了维持一个安全的环境，最重要的是停止使用 EOSL 系统。仅仅因为供应商终止了支持，就放弃仍在运行的解决方案，这在一开始似乎不符合成本效益，也不切实际。但是，您所花费的安全管理工作可能会远远超过开发和部署基于现代系统的替代方案的成本。例如，Adobe Flash Player 的 EOSL 已于 2020 年 12 月 31 日到期，应按照 Adobe 的建议卸载。

原文始发于微信公众号（网络安全等保测评）：Continuous Improvement