l*********s
发帖数: 5409 | | a9
发帖数: 21638 | 2 难道要tsa花30w长期养几个程序员吗?
Right
【在 l*********s 的大作中提到】
: https://news.slashdot.org/story/16/04/04/2227200/tsa-paid-14-mi
: randomizer-app-that-chooses
| l*********s
发帖数: 5409 | 3 1.4m is the worth of a contract awarded to IBM, it might be rationalized by
equipment/training cost. But why can't they just roll a dice? | l******n
发帖数: 9344 | 4 这程序报道说至少花了330k。。。
by
【在 l*********s 的大作中提到】
: 1.4m is the worth of a contract awarded to IBM, it might be rationalized by
: equipment/training cost. But why can't they just roll a dice?
| l*********s
发帖数: 5409 | | z*y
发帖数: 1311 | 6
by
1. cost, rolling a dice also needs equipment and training... which may take
even higher cost, ordinary TSA staff is not qualified in my opinion, this is
US government we are talking about, you cannot just do it
2. time, after rolling a dice it would take several seconds to settle down
which is not fast enough, it would potentially increase anxiety of people
waiting in line, and related psychological, mental, physical issues,
liability and lawsuits
【在 l*********s 的大作中提到】
: 1.4m is the worth of a contract awarded to IBM, it might be rationalized by
: equipment/training cost. But why can't they just roll a dice?
| f*******t
发帖数: 7549 | 7 据说app开发成本是4.7万美元。即使是在美帝,吃皇粮还是爽 | l*********s
发帖数: 5409 | | a*f
发帖数: 1790 | 9
严格按NIST的Minimum Security Requirements做APP这个可能就是基本价了,不管你只
写一行代码还是几万行代码。测试,管理,审查,风险计划,培训,维护和系统支持都
是昂贵的。
Specifications for Minimum Security Requirements
Access Control (AC): Organizations must limit information system access to
authorized users, processes
acting on behalf of authorized users, or devices (including other
information systems) and to the types of
transactions and functions that authorized users are permitted to exercise.
Awareness and Training (AT): Organizations must: (i) ensure that managers
and users of organizational
information systems are made aware of the security risks associated with
their activities and of the
applicable laws, Executive Orders, directives, policies, standards,
instructions, regulations, or procedures
related to the security of organizational information systems; and (ii)
ensure that organizational personnel
are adequately trained to carry out their assigned information security-
related duties and responsibilities.
Audit and Accountability (AU): Organizations must: (i) create, protect, and
retain information system audit
records to the extent needed to enable the monitoring, analysis,
investigation, and reporting of unlawful,
unauthorized, or inappropriate information system activity; and (ii) ensure
that the actions of individual
information system users can be uniquely traced to those users so they can
be held accountable for their
actions.
Certification, Accreditation, and Security Assessments (CA): Organizations
must: (i) periodically assess the
security controls in organizational information systems to determine if the
controls are effective in their
application; (ii) develop and implement plans of action designed to correct
deficiencies and reduce or
eliminate vulnerabilities in organizational information systems; (iii)
authorize the operation of
organizational information systems and any associated information system
connections; and (iv) monitor
information system security controls on an ongoing basis to ensure the
continued effectiveness of the
controls.
2
FIPS Publication 200 Minimum Security Requirements for Federal Information
and Information Systems
____________________________________________________________________________
____________________
Configuration Management (CM): Organizations must: (i) establish and
maintain baseline configurations and
inventories of organizational information systems (including hardware,
software, firmware, and
documentation) throughout the respective system development life cycles; and
(ii) establish and enforce
security configuration settings for information technology products employed
in organizational information
systems.
Contingency Planning (CP): Organizations must establish, maintain, and
effectively implement plans for
emergency response, backup operations, and post-disaster recovery for
organizational information systems
to ensure the availability of critical information resources and continuity
of operations in emergency
situations.
Identification and Authentication (IA): Organizations must identify
information system users, processes
acting on behalf of users, or devices and authenticate (or verify) the
identities of those users, processes, or
devices, as a prerequisite to allowing access to organizational information
systems.
Incident Response (IR): Organizations must: (i) establish an operational
incident handling capability for
organizational information systems that includes adequate preparation,
detection, analysis, containment,
recovery, and user response activities; and (ii) track, document, and report
incidents to appropriate
organizational officials and/or authorities.
Maintenance (MA): Organizations must: (i) perform periodic and timely
maintenance on organizational
information systems; and (ii) provide effective controls on the tools,
techniques, mechanisms, and
personnel used to conduct information system maintenance.
Media Protection (MP): Organizations must: (i) protect information system
media, both paper and digital; (ii)
limit access to information on information system media to authorized users;
and (iii) sanitize or destroy
information system media before disposal or release for reuse.
Physical and Environmental Protection (PE): Organizations must: (i) limit
physical access to information
systems, equipment, and the respective operating environments to authorized
individuals; (ii) protect the
physical plant and support infrastructure for information systems; (iii)
provide supporting utilities for
information systems; (iv) protect information systems against environmental
hazards; and (v) provide
appropriate environmental controls in facilities containing information
systems.
Planning (PL): Organizations must develop, document, periodically update,
and implement security plans
for organizational information systems that describe the security controls
in place or planned for the
information systems and the rules of behavior for individuals accessing the
information systems.
Personnel Security (PS): Organizations must: (i) ensure that individuals
occupying positions of
responsibility within organizations (including third-party service providers
) are trustworthy and meet
established security criteria for those positions; (ii) ensure that
organizational information and information
systems are protected during and after personnel actions such as
terminations and transfers; and (iii)
employ formal sanctions for personnel failing to comply with organizational
security policies and
procedures.
Risk Assessment (RA): Organizations must periodically assess the risk to
organizational operations
(including mission, functions, image, or reputation), organizational assets,
and individuals, resulting from
the operation of organizational information systems and the associated
processing, storage, or transmission
of organizational information.
System and Services Acquisition (SA): Organizations must: (i) allocate
sufficient resources to adequately
protect organizational information systems; (ii) employ system development
life cycle processes that
incorporate information security considerations; (iii) employ software usage
and installation restrictions;
and (iv) ensure that third-party providers employ adequate security measures
to protect information,
applications, and/or services outsourced from the organization.
3
FIPS Publication 200 Minimum Security Requirements for Federal Information
and Information Systems
____________________________________________________________________________
____________________
System and Communications Protection (SC): Organizations must: (i) monitor,
control, and protect
organizational communications (i.e., information transmitted or received by
organizational information
systems) at the external boundaries and key internal boundaries of the
information systems; and (ii) employ
architectural designs, software development techniques, and systems
engineering principles that promote
effective information security within organizational information systems.
System and Information Integrity (SI): Organizations must: (i) identify,
report, and correct information and
information system flaws in a timely manner; (ii) provide protection from
malicious code at appropriate
locations within organizational information systems; and (iii) monitor
information system security alerts
and advisories and take appropriate actions in response.
【在 l*********s 的大作中提到】
: 这么简单的应用分分钟就该搞定了。
| H**********2
发帖数: 107 | 10 你说的要有数据才算。搞个随机数,难道也是机密?
【在 a*f 的大作中提到】
:
: 严格按NIST的Minimum Security Requirements做APP这个可能就是基本价了,不管你只
: 写一行代码还是几万行代码。测试,管理,审查,风险计划,培训,维护和系统支持都
: 是昂贵的。
: Specifications for Minimum Security Requirements
: Access Control (AC): Organizations must limit information system access to
: authorized users, processes
: acting on behalf of authorized users, or devices (including other
: information systems) and to the types of
: transactions and functions that authorized users are permitted to exercise.
| a*f
发帖数: 1790 | 11 政府管理层才不会在乎具体你搞什么。是APP按APP的标准进行,用在security
restricted area按相应标准审查。你的功能可能就一行代码,但是build这个app会不
会用了第三方的library。
【在 H**********2 的大作中提到】
: 你说的要有数据才算。搞个随机数,难道也是机密?
|
|
