应尽关注原则描述了一个人应该在一种情况下用正常人所期望的相同级别的关注来响应。这是一个非常广泛的标准。应尽职责原则是应尽关注的一个更具体的组成部分，它描述被指派责任的个人应该以应尽关注的方式准确和及时的完成责任。

The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

战略计划在大多数情况下有长达五年的规划期。操作和战术计划的期限通常只有一年。

Strategic plans have a long-term planning horizon of up to five years in most cases. Operational and tactical plans have shorter horizons of a year or less.

按照职责分离原则，组织将关键任务分成不同的部分，并确保每项任务都只能由一个人来完成。这可以防止某些人通过未授权方式来执行其他任务。

When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.

数据管理员通常受高级管理人员的委托，负责数据保护任务。数据持有人对这些任务承担最终责任。但数据所有者通常是将操作职责委派给数据监管者的高级领导。

The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian

信息安全项目的负责人可能并不负责项目的具体实施，该负责人应该拥有高级职位，能很好地管理信息安全项目。总裁兼首席执行官不太可能有充足的时间来关心安全问题。在剩余的选择中，首席信息官(CIO)是最高级别的管理者。

The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program.

Beth 在上述场景中实现的控制目的是防止未授权的信息修改，属于完整性控制。

Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information.

强制假期计划要求员工每年休息一段时间，并在此期间取消其系统特权。若内部工作人员企图做出不利于组织的事情，那么可能会在这段时间中被组织发现，从而规避组织系统遭受损害。职责分离、最小特权和深度防御控制都有助于防止欺诈，但不太可能高效地检测出已经发生的欺诈行为。

Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. This will hopefully disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat.

拒绝服务(DoS)和分布式拒绝服务(DDoS)攻击试图通过向受害者发送大量的数据包或以其他方式来破坏信息系统的可用性。

Denial of service (DoS) and distributed denial of service (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.

基线提供整个组织中每个系统必须满足的最低安全级别。

Baselines provide the minimum level of security that every system throughout the organization must meet.

键盘记录器会监视个人的击键，并将其报告给攻击者。它们旨在窃取敏感信息、破坏保密目标。

 Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.

保密性控制禁止向未授权的个人泄露敏感信息。

Confidentiality controls prevent the disclosure of sensitive information to unauthorized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.

保持服务器正常运行是可用性控制的一个示例，因为它增加了服务器保持可用于应答用户请求的可能性

Keeping a server up and running is an example of an availability control because it increases the likelihood that a server will remain available to answer user requests.

ISO 27002 是一个侧重于信息安全的国际标准，标题为“信息技术-安全技术-信息安全管理实践守则”。IT 基础设施库(ITIL)确实包含安全管理实践，但它不是文档，而且ITIL 所关注的安全问题都来源于ISO 27002。能力成熟度模型(CMM)专注于软件开发，项目管理知识体系(PMBOK)指南侧重于项目管理。

ISO 27002 is an international standard focused on information security and titled “Information technology – Security techniques – Code of practice for information security management.”

不可否认性允许接收者向第三方证明消息的来源。身份验证可以向Ben 证明发件人是真实的，但Ben 不能向第三方证明消息的来源。

Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.

深度防御指出，每个组织都应该实施重叠安全控制，从而保证组织系统的安全。这种方法可以在单个控制失败的情况下提供安全性。

Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure.

组织应该在项目发生变化之前、之后通知利益相关者，其他三个选项都是变更管理计划的目标。

 Stakeholders should be informed of changes before, not after, they occur. The other items listed are goals of change management programs.

电子门禁权限需要妥善处理，工作人员在被解雇后如果继续保留电子门禁权限，那么该员工有可能采取报复行动。另一方面，如果早早地取消员工的电子门禁权限，那么他(她)也就大概也会猜到自己快要被解雇了。

Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action. On the other hand, if access is terminated too early, the employee may figure out that he or she is about to be terminated.