信息系统安全体系构建研究
|
摘要
信息系统的安全性是一个系统的问题,以往的经验教训表明,不考虑建立安全标准体系,往往会造成整体功能不完备、存在薄弱环节、部件功能重复、效率低下、评估困难、不适应需求和技术变化、互操作困难等问题。随着计算机信息系统规模的不断扩大和信息安全技术的不断发展,为了加强计算机信息系统安全体系的设计、开发、使用、评估和管理,需要对计算机信息系统安全体系进行系统化的认识和规范化的建设,因此必须建立统一的计算机信息系统安全体系模型和实施标准,规范计算机信息系统的安全体系建设,构筑我国计算机信息系统安全防范体系。
本文介绍了信息系统安全体系结构的概念由来及研究现状,并研究了信息系统安全体系结构的构成要素,以及当前流行的安全体系结构及相关理论,并分析其优劣势,讨论不同类型信息系统安全体系结构的特征,并研究了信息系统安全体系结构的构成要素;在安全体系模型的基础上,提出了基于网络的安全策略、基于主机的安全策略、基于设施的安全策略、基于安全事件的安全策略等定义。阐述了如何从系统层面上解决安全问题,即必须从体系结构的层面上全面的、考虑问题。设计了一个信息系统安全体系模型,通过实证对本模型的实用性进行验证。
针对计算机信息系统安全体系模型和实施标准的不足,本文的创新主要集中在:
(1)设计了一个信息系统安全体系模型,通过建立安全策略层、管理层、技术层、培训层来实现安全体系各层次的要素。它是基于P2DR模型的,将安全策略、安全管理、安全技术和安全培训共同结合到一个动态的模型中,并且它们分别是该模型的四个层次。从系统的角度上构建了一套完善的信息系统的安全体系。
(2)通过实证对本模型的实用性进行验证,得出本模型在具体系统中应用的有效性。
信息时代建立信息系统的安全体系对任何一个企业来讲有着至关重要的战略意义。信息系统安全一个永久性的问题,只有通过不断的改进和完善安全手段,才能保证系统的正常运行,才能提高系统的可靠性。
The security of the information system is a matter of system, past experience and lessons indicate that if not considering establishing the system of safety standard of information system, it will often cause such problems as incompleteness of the whole function, some weakness parts, redundant of part function, low efficiency, difficultly assessing, not adapting demand and technology change, difficultly operating each other. With the constant enlargement of the scale of computer information system and constant development of the information security technology, in order to strengthen the design, development, use, assessment and management of the security system of computer information system, the security system of computer information system should be systematized understood and be carried on standardized construction. Therefore, it is necessary to set up the unified security system model of computer information system and implementation standard, standardize the security system construction of the computer information system, and then build the security counter measures system of computer information system in our country.
The thesis having introduced the concept origins and research current situations of the security system structure of information system; On the basis of security system model, having proposed such definitions as security tactics based on internet, facility and host computer tactics; Having explained how to solve safe problem from systematic aspect, that is to comprehensively consider the problem from system structure. Having discussed the characteristic of the security system structure of different kinds of information systems, having analyzed the key component element of the security system structure of information system. Having introduced present and popular security system structure and relevant theories in detail, have analyzed its strength and weakness, having designed a security system model and the validity that a model uses in a system.
For the deficiency of security system model of computer information system and implementation standard, the work that this thesis does is concentrated on mainly:
(1) Having designed a security system model in common use that is based on building security tactics layer, administration layer, technology layer and training layer. It is based on P2DR model, and integrates four layers including security tactic, security management, security technology and security training into a dynamic model. Building a set of well-running information security system from systematic angle.
(2) Having proved the usability of the security system model in common use through doing case study and the validity that a model uses in a system.
In information age, it has essential strategic meanings for any enterprise to establish the system of security of the information system. The security of information system is a permanent matter. Only the security measure is continuously improved, can the running of the security system keep normal and the dependability of system be improved.
本文介绍了信息系统安全体系结构的概念由来及研究现状,并研究了信息系统安全体系结构的构成要素,以及当前流行的安全体系结构及相关理论,并分析其优劣势,讨论不同类型信息系统安全体系结构的特征,并研究了信息系统安全体系结构的构成要素;在安全体系模型的基础上,提出了基于网络的安全策略、基于主机的安全策略、基于设施的安全策略、基于安全事件的安全策略等定义。阐述了如何从系统层面上解决安全问题,即必须从体系结构的层面上全面的、考虑问题。设计了一个信息系统安全体系模型,通过实证对本模型的实用性进行验证。
针对计算机信息系统安全体系模型和实施标准的不足,本文的创新主要集中在:
(1)设计了一个信息系统安全体系模型,通过建立安全策略层、管理层、技术层、培训层来实现安全体系各层次的要素。它是基于P2DR模型的,将安全策略、安全管理、安全技术和安全培训共同结合到一个动态的模型中,并且它们分别是该模型的四个层次。从系统的角度上构建了一套完善的信息系统的安全体系。
(2)通过实证对本模型的实用性进行验证,得出本模型在具体系统中应用的有效性。
信息时代建立信息系统的安全体系对任何一个企业来讲有着至关重要的战略意义。信息系统安全一个永久性的问题,只有通过不断的改进和完善安全手段,才能保证系统的正常运行,才能提高系统的可靠性。
The security of the information system is a matter of system, past experience and lessons indicate that if not considering establishing the system of safety standard of information system, it will often cause such problems as incompleteness of the whole function, some weakness parts, redundant of part function, low efficiency, difficultly assessing, not adapting demand and technology change, difficultly operating each other. With the constant enlargement of the scale of computer information system and constant development of the information security technology, in order to strengthen the design, development, use, assessment and management of the security system of computer information system, the security system of computer information system should be systematized understood and be carried on standardized construction. Therefore, it is necessary to set up the unified security system model of computer information system and implementation standard, standardize the security system construction of the computer information system, and then build the security counter measures system of computer information system in our country.
The thesis having introduced the concept origins and research current situations of the security system structure of information system; On the basis of security system model, having proposed such definitions as security tactics based on internet, facility and host computer tactics; Having explained how to solve safe problem from systematic aspect, that is to comprehensively consider the problem from system structure. Having discussed the characteristic of the security system structure of different kinds of information systems, having analyzed the key component element of the security system structure of information system. Having introduced present and popular security system structure and relevant theories in detail, have analyzed its strength and weakness, having designed a security system model and the validity that a model uses in a system.
For the deficiency of security system model of computer information system and implementation standard, the work that this thesis does is concentrated on mainly:
(1) Having designed a security system model in common use that is based on building security tactics layer, administration layer, technology layer and training layer. It is based on P2DR model, and integrates four layers including security tactic, security management, security technology and security training into a dynamic model. Building a set of well-running information security system from systematic angle.
(2) Having proved the usability of the security system model in common use through doing case study and the validity that a model uses in a system.
In information age, it has essential strategic meanings for any enterprise to establish the system of security of the information system. The security of information system is a permanent matter. Only the security measure is continuously improved, can the running of the security system keep normal and the dependability of system be improved.
引文
[1]Greg Elofson,Peggy M Beranek,Philomina Thomas.An intelligent agent community approach to knowledge sharing.Decision Support System,1997,(20):83-98
[2]R.S.Sandhu,et al.Role-Based Access Control Models.IEEE Computer,2005,Vol.29(2):38-47.
[3]薛质,苏波,李建华,等.信息安全技术基础和安全.北京:清华大学出版社.2007:4-7
[4]俞承杭.信息安全技术.北京:科学出版社,2003.124-128
[5]缪道期.关于计算机安全学的建议.计算机工程与应用.2002,(2):1-5
[6]蒋孩,胡华平,王奕.计算机信息系统安全体系设计,计算机工程与科学,2003,25(1):38-41
[7]徐晓东.大型企业网络安全问题及解决方案:[硕士学位论文].杭州:浙江大学,2006.24-28
[8]谢崇斌.基于信息安全管理体系风险评估:[硕士学位论文]西安:西安电子科技大学,2004.14-18
[9]晓宗.信息安全战.北京:清华大学出版社.2003.4-8
[10]关启明,张素娟,吴涛,等.一种新的企业网络安全体系模型.河北理工学院学报:200,5(2)8-11
[11]胡华平,黄遵国,庞立会等网络安全纵深防御与保障体系.我国国防信息安全战略研讨会:2001,(2):17-19
[12]蒋蕉,王奕,胡华平,等.信息系统安全体系实施研究.北京:机械工业出版社,2003.151-152
[13]赵战生.中国信息安全体系结构基本框架域构想,计算机安全,2002.1,(11):44-47
[14]于慧龙.信息安全管理标准BS7799及其应用.网络安全技术与应用,2004:45-46
[15]段海新,吴建平.计算机网络的一种实体安全体系结构,计算机学报,2001.24,(8):853-859
[16]陈海涛,胡华平,徐传福,龚正虎,等.动态网络安全的框架模型,科大学报,2003.34,(11):53-59
[17]GB/T9387.2-1995,信息处理系统开放系统互连基本参考模型第2部分:安全体系结构
[18]孙进.中小企业网络安全体系的研究与构建:[硕士学位论文].上海:上海大学,2003
[19]刘怡,张截.基于的管理信息系统研究.计算机应用与软件,2005.Vol.22,(8):52- 54.
[20]刘密霞.基于策略的信息安全模型及形式化建模的研究:[硕士学位论文].兰州:兰州理工大学通信与信息系统专业,2004.
[21]Lunckham D C,Vera J.An Event-based Architecture Definition Language[J].IEEE Transanction on Software Engineering,1995,(21):1-4.
[22]徐立新.大型管理信息系统安全模型.武钢技术,2000.Vol.38,(1):31-34.
[23]褚燕华.基于电子政务的信息安全的研究与应用:[硕士学位论文].北京:北京科技大学计算机应用技术专业,2005.
[24]冯国登,张阳,张玉清,等.信息安全风险评估综述,通信学报,2004,(8):3-5
[25]Stuart McClure,Joel Scambray,George Kurtz.Hacking Exposed Fifth Edition:Network Security Secrets&Solutions.New York:McGraw-Hill,2005,(9):13-15
[26]余建斌.黑客攻击与防范技术.北京:人民邮电出版社,2005.8:68-75
[27]段海新,吴建平,等.计算机网络的一种实体安全体系结构.计算机学报,2004.24,(8):853-859
[28]张英朝.基于智能协作技术的信息系统安全体系结构研究.计算机学报,2002.10.:8-10
[29]美国家安全局.信息保障技术框架.北京:中软电子出版社,2005.8:79-83
[30]张晨曦.计算机体系结构.北京:高等教育出版社,2004.4:27-30
[31][美]莫瑞.加瑟著.吴亚非译.计算机安全的技术与方法.北京:电子工业出版社2005.9:18-25
[32]戴红,王海泉,等.计算机网络安全.北京:电子工业出版社,2004.8-15
[33]段云所.信息安全概论.北京:机械工业出版社,2003:23-30
[34]吴应良.管理信息系统的安全问题与对策研究.计算机应用研究.1999,(11).22-25
[35]B.Moller.Securing elliptic curve point multiplication against side-channel attacks[J].In CzI.Davidaand Y Frankel,editors,Information Security:4th International Conference,ISC 2001,LNCSvol.2200:324-334.
[36]National Computer Security Center.Discretionary Access Control Issues in High Assurance SecureDatabase Management SvstemsfRl.NCSC Technical Report-005.Vol.5(5)Mav 1996,(8):3-5
[37]Denning D E.A Lattice Model of Secure Information Flow[J].ACM,1976,1,(5):236-243
[38]Kevin D.Mitnick,William L.Simon.The Art of Deception:Controlling the Human Element of Security.New York:Wiley,2002
[39]Andrew S.Tanenbaum.Computer Networks[M].3rd Ed.Prentice Hal1,1996,(5):26-33
[40]KennethC.Laudon Jane Price Laudon.Information System and Thelnternet:A Problem-Solving Approach.The Dryden Press Harcourt Brace College Publishers, Press Harcourt Brace&Company Asia Pte Ltd
[41] D.F Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn&R. Chandramouli. Proposed NIST standard forrole-based access control. ACM Transactions on Information and System Security, 2003,Vol.4 (3):224-274.
[42] Neuman C,Kerberos T.An authentication. Service for computer networks IEEE Communication Magazine, 1994,32(9): 33-38
[43] Courseware:Application Framework for E-business of IBM.IBM
[44] Ricardo Ernst, Bardia Kamrad, Evaluation of supply chain through modularization and postponement, European Journal of Operation Research,124,2000,pp.495-510
[45] Lotus Notes Developer's Guide 1998Simon &Schuster(Asia)PteLtd
[46] Fine T,Minear S e.Nash. Assuring Distributing Trusted Mach. In the proceeding of the 1993 IEEE Computer Security Symposium on Security and Privacy .1999:206-218
[2]R.S.Sandhu,et al.Role-Based Access Control Models.IEEE Computer,2005,Vol.29(2):38-47.
[3]薛质,苏波,李建华,等.信息安全技术基础和安全.北京:清华大学出版社.2007:4-7
[4]俞承杭.信息安全技术.北京:科学出版社,2003.124-128
[5]缪道期.关于计算机安全学的建议.计算机工程与应用.2002,(2):1-5
[6]蒋孩,胡华平,王奕.计算机信息系统安全体系设计,计算机工程与科学,2003,25(1):38-41
[7]徐晓东.大型企业网络安全问题及解决方案:[硕士学位论文].杭州:浙江大学,2006.24-28
[8]谢崇斌.基于信息安全管理体系风险评估:[硕士学位论文]西安:西安电子科技大学,2004.14-18
[9]晓宗.信息安全战.北京:清华大学出版社.2003.4-8
[10]关启明,张素娟,吴涛,等.一种新的企业网络安全体系模型.河北理工学院学报:200,5(2)8-11
[11]胡华平,黄遵国,庞立会等网络安全纵深防御与保障体系.我国国防信息安全战略研讨会:2001,(2):17-19
[12]蒋蕉,王奕,胡华平,等.信息系统安全体系实施研究.北京:机械工业出版社,2003.151-152
[13]赵战生.中国信息安全体系结构基本框架域构想,计算机安全,2002.1,(11):44-47
[14]于慧龙.信息安全管理标准BS7799及其应用.网络安全技术与应用,2004:45-46
[15]段海新,吴建平.计算机网络的一种实体安全体系结构,计算机学报,2001.24,(8):853-859
[16]陈海涛,胡华平,徐传福,龚正虎,等.动态网络安全的框架模型,科大学报,2003.34,(11):53-59
[17]GB/T9387.2-1995,信息处理系统开放系统互连基本参考模型第2部分:安全体系结构
[18]孙进.中小企业网络安全体系的研究与构建:[硕士学位论文].上海:上海大学,2003
[19]刘怡,张截.基于的管理信息系统研究.计算机应用与软件,2005.Vol.22,(8):52- 54.
[20]刘密霞.基于策略的信息安全模型及形式化建模的研究:[硕士学位论文].兰州:兰州理工大学通信与信息系统专业,2004.
[21]Lunckham D C,Vera J.An Event-based Architecture Definition Language[J].IEEE Transanction on Software Engineering,1995,(21):1-4.
[22]徐立新.大型管理信息系统安全模型.武钢技术,2000.Vol.38,(1):31-34.
[23]褚燕华.基于电子政务的信息安全的研究与应用:[硕士学位论文].北京:北京科技大学计算机应用技术专业,2005.
[24]冯国登,张阳,张玉清,等.信息安全风险评估综述,通信学报,2004,(8):3-5
[25]Stuart McClure,Joel Scambray,George Kurtz.Hacking Exposed Fifth Edition:Network Security Secrets&Solutions.New York:McGraw-Hill,2005,(9):13-15
[26]余建斌.黑客攻击与防范技术.北京:人民邮电出版社,2005.8:68-75
[27]段海新,吴建平,等.计算机网络的一种实体安全体系结构.计算机学报,2004.24,(8):853-859
[28]张英朝.基于智能协作技术的信息系统安全体系结构研究.计算机学报,2002.10.:8-10
[29]美国家安全局.信息保障技术框架.北京:中软电子出版社,2005.8:79-83
[30]张晨曦.计算机体系结构.北京:高等教育出版社,2004.4:27-30
[31][美]莫瑞.加瑟著.吴亚非译.计算机安全的技术与方法.北京:电子工业出版社2005.9:18-25
[32]戴红,王海泉,等.计算机网络安全.北京:电子工业出版社,2004.8-15
[33]段云所.信息安全概论.北京:机械工业出版社,2003:23-30
[34]吴应良.管理信息系统的安全问题与对策研究.计算机应用研究.1999,(11).22-25
[35]B.Moller.Securing elliptic curve point multiplication against side-channel attacks[J].In CzI.Davidaand Y Frankel,editors,Information Security:4th International Conference,ISC 2001,LNCSvol.2200:324-334.
[36]National Computer Security Center.Discretionary Access Control Issues in High Assurance SecureDatabase Management SvstemsfRl.NCSC Technical Report-005.Vol.5(5)Mav 1996,(8):3-5
[37]Denning D E.A Lattice Model of Secure Information Flow[J].ACM,1976,1,(5):236-243
[38]Kevin D.Mitnick,William L.Simon.The Art of Deception:Controlling the Human Element of Security.New York:Wiley,2002
[39]Andrew S.Tanenbaum.Computer Networks[M].3rd Ed.Prentice Hal1,1996,(5):26-33
[40]KennethC.Laudon Jane Price Laudon.Information System and Thelnternet:A Problem-Solving Approach.The Dryden Press Harcourt Brace College Publishers, Press Harcourt Brace&Company Asia Pte Ltd
[41] D.F Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn&R. Chandramouli. Proposed NIST standard forrole-based access control. ACM Transactions on Information and System Security, 2003,Vol.4 (3):224-274.
[42] Neuman C,Kerberos T.An authentication. Service for computer networks IEEE Communication Magazine, 1994,32(9): 33-38
[43] Courseware:Application Framework for E-business of IBM.IBM
[44] Ricardo Ernst, Bardia Kamrad, Evaluation of supply chain through modularization and postponement, European Journal of Operation Research,124,2000,pp.495-510
[45] Lotus Notes Developer's Guide 1998Simon &Schuster(Asia)PteLtd
[46] Fine T,Minear S e.Nash. Assuring Distributing Trusted Mach. In the proceeding of the 1993 IEEE Computer Security Symposium on Security and Privacy .1999:206-218