适合电子政务的信息安全管理体系研究与实践
|
摘要
随着政府部门信息化建设的不断深入,信息安全的重要性日益突出,政府部门在业务中面临着大量的安全问题。然而,长期以来,在电子政务信息安全建设方面,存在着重技术轻管理的问题。信息安全技术和产品的应用,在一定程度上解决了部分信息安全问题,但是长时间的探索和实践发现,即使采购和使用了足够先进、足够多的信息安全技术和产品,仍然无法避免信息安全事件的发生。“三分技术,七分管理”,信息安全并不是技术过程,而是一个综合防范的过程,但单独依靠技术手段实现安全的能力是有限的,安全技术应由适当的安全管理体系来支持。技术和管理是相辅相成的,在信息安全保障工作中必须管理与技术并重,进行综合防范,才能有效保障安全,是实现信息安全目标的必由之路。
本文从政府部门电子政务建设的安全需求出发,介绍了信息安全管理和信息安全管理体系的相关背景知识,分析了电子政务信息安全保障的特点,特别是与我国的信息系统安全等级保护制度相结合,在参考国内外体系标准和最佳实践的基础上,给出了一套可操作的信息安全管理体系实施方法,为政府部门实施电子政务信息安全管理体系建设工作提供了有益的指导和参考。
本文提出的实施方法已经在6家试点单位的电子政务信息安全管理体系建设中得到应用,取得了很好的效果;并被采纳到《北京市电子政务信息安全管理体系实施指南》中,形成了技术指导性文件,用于指导和规范北京市电子政务信息安全管理体系的实施。
With fast development of information construction in governments, information security is becoming more and more important, while the government is facing lots of security problems in its businesses. However, in a long time, people often pay more attention to technology while ignoring management in the establishment of E-government. Applications of technical methods have solved security problems in some extent. But research and practice both show that security incidents cannot be avoided even if good enough security technologies are applied. "30% technology, 70% management", information security is a comprehensive protection system, not a technical one. The capacity only upon technical control is limited, which must be supported by proper security management system. Technology and management can help each other. We must emphasize on both management and technology in information security protection, so as to safeguard security and achieve security targets.
In this paper, we start from government's requirements on E-government construction, introduce the characters of E-government information security, especially correlated with our nation's security classification protection for information system, and bring out a practicable implementation process for information security management system on the basis of international system standard and best practices, providing positive guidance and reference for government who plans to establish information security management system.
The implementation process mentioned in this paper has been used in 6 experimental government units and adopted by the "Guideline of ISMS for E-government in Beijing", forming a technical guideline already, aiming at guide and regulate the implementation of E-government information security management system in Beijing.
本文从政府部门电子政务建设的安全需求出发,介绍了信息安全管理和信息安全管理体系的相关背景知识,分析了电子政务信息安全保障的特点,特别是与我国的信息系统安全等级保护制度相结合,在参考国内外体系标准和最佳实践的基础上,给出了一套可操作的信息安全管理体系实施方法,为政府部门实施电子政务信息安全管理体系建设工作提供了有益的指导和参考。
本文提出的实施方法已经在6家试点单位的电子政务信息安全管理体系建设中得到应用,取得了很好的效果;并被采纳到《北京市电子政务信息安全管理体系实施指南》中,形成了技术指导性文件,用于指导和规范北京市电子政务信息安全管理体系的实施。
With fast development of information construction in governments, information security is becoming more and more important, while the government is facing lots of security problems in its businesses. However, in a long time, people often pay more attention to technology while ignoring management in the establishment of E-government. Applications of technical methods have solved security problems in some extent. But research and practice both show that security incidents cannot be avoided even if good enough security technologies are applied. "30% technology, 70% management", information security is a comprehensive protection system, not a technical one. The capacity only upon technical control is limited, which must be supported by proper security management system. Technology and management can help each other. We must emphasize on both management and technology in information security protection, so as to safeguard security and achieve security targets.
In this paper, we start from government's requirements on E-government construction, introduce the characters of E-government information security, especially correlated with our nation's security classification protection for information system, and bring out a practicable implementation process for information security management system on the basis of international system standard and best practices, providing positive guidance and reference for government who plans to establish information security management system.
The implementation process mentioned in this paper has been used in 6 experimental government units and adopted by the "Guideline of ISMS for E-government in Beijing", forming a technical guideline already, aiming at guide and regulate the implementation of E-government information security management system in Beijing.
引文
[1]International Organization for Standardization,ISO/IEC 27001,Information security management systems-Requirements,2005
[2]International Organization for Standardization,ISO/IEC 17799,Code of practice for information security management,2005
[3]International Organization for Standardization,ISO GUIDE 72,Guidelines for the justification and development of management system standards,2001
[4]Christopher Alberts,Audrey Dorofee.信息安全管理.北京:清华大学出版社,2003
[5]International Organization for Standardization,ISO/IEC 13335-1:Information technology--Security techniques--Management of information and communications technology security--Part 1:Concepts and models for information and communications technology security management,ISO.2004
[6]GB/T 5271.8-2001信息技术 词汇 第8部分:安全
[7]GB/T 19716-2005 信息技术 信息安全管理实用规则
[8]GB/T 19715.2-2005 信息技术 信息安全管理指南 第2部分
[9]GB/T XXXX-XXXX信息安全技术 信息系统安全保护等级定级指南(报批稿)
[10]GB/T 20984-2007信息安全技术 信息安全风险评估规范
[11]FIPS 199-2003 联邦信息和信息系统的安全分类标准
[12]NIST Special Publication 800-53联邦信息系统推荐性安全控制措施
[13]IATF信息保障技术框架3.0版,美国国家安全局发布
[14]国家标准化技术委员会,信息安全风险评估指南(报批稿)
[15]GB 17859-1999,计算机信息系统安全保护等级划分准则
[16]国务院信息化工作办公室,电子政务信息安全等级保护实施指南(试行),2005.9
[17]国家标准化技术委员会,信息系统安全等级保护实施指南(试用稿)
[2]International Organization for Standardization,ISO/IEC 17799,Code of practice for information security management,2005
[3]International Organization for Standardization,ISO GUIDE 72,Guidelines for the justification and development of management system standards,2001
[4]Christopher Alberts,Audrey Dorofee.信息安全管理.北京:清华大学出版社,2003
[5]International Organization for Standardization,ISO/IEC 13335-1:Information technology--Security techniques--Management of information and communications technology security--Part 1:Concepts and models for information and communications technology security management,ISO.2004
[6]GB/T 5271.8-2001信息技术 词汇 第8部分:安全
[7]GB/T 19716-2005 信息技术 信息安全管理实用规则
[8]GB/T 19715.2-2005 信息技术 信息安全管理指南 第2部分
[9]GB/T XXXX-XXXX信息安全技术 信息系统安全保护等级定级指南(报批稿)
[10]GB/T 20984-2007信息安全技术 信息安全风险评估规范
[11]FIPS 199-2003 联邦信息和信息系统的安全分类标准
[12]NIST Special Publication 800-53联邦信息系统推荐性安全控制措施
[13]IATF信息保障技术框架3.0版,美国国家安全局发布
[14]国家标准化技术委员会,信息安全风险评估指南(报批稿)
[15]GB 17859-1999,计算机信息系统安全保护等级划分准则
[16]国务院信息化工作办公室,电子政务信息安全等级保护实施指南(试行),2005.9
[17]国家标准化技术委员会,信息系统安全等级保护实施指南(试用稿)