基于ISO17799信息安全管理体系风险评估
|
摘要
信息系统是一个组织运作的核心。信息系统的安全管理工作是一个动态循环演化的过程。风险评估作为其中的一个重要环节,为信息系统安全管理动态模型的持续改进提供了目标和要求。以往的信息系统安全管理工作存在与安全技术结合不紧密的缺陷,导致许多组织重视安全技术,忽视安全管理。本文在当前已有理论成果的基础上,提出了与信息安全技术相适应的信息安全纵深管理体系,加强了两者之间的联系,提高了风险管理工作的地位。
本文在上述理论论证的指导下,参考安氏PADIMEE模型,并以ISO/IEC 17799为基础,建立了风险评估改进模型,完成了信息安全体系风险评估工具的数据库设计和程序设计,提高了风险评估工作的效率,增加了其结果的可信度与可比性,促进了国内信息安全管理工作的发展。
Information system is the kernel of one organization. The security management of information system is a dynamic circulatory evolutive process. As one important portion of it, risk assessment provides the goal and require for the continual improvement of dynamic information system security management model. By the shortage of incompact integration between security management and security technology, many organizations attach importance to security technology and less notice for security management. Based on the current theory results, this paper builds the Management-in-Depth System of Information Security that adaptive to information security technology. This work enhances the connection between security management and security technology, and heightens the status of risk management.
Under the guidance of this theory, this paper build the improved risk assessment model based on PADIMEE model and ISO/IEC 17799, and finishes the database design and software design of information security system risk assessment kit. The result increases the efficiency of risk assessment work, enhances the reliability and comparability of risk assessment result, and develops the information security management of our country.
本文在上述理论论证的指导下,参考安氏PADIMEE模型,并以ISO/IEC 17799为基础,建立了风险评估改进模型,完成了信息安全体系风险评估工具的数据库设计和程序设计,提高了风险评估工作的效率,增加了其结果的可信度与可比性,促进了国内信息安全管理工作的发展。
Information system is the kernel of one organization. The security management of information system is a dynamic circulatory evolutive process. As one important portion of it, risk assessment provides the goal and require for the continual improvement of dynamic information system security management model. By the shortage of incompact integration between security management and security technology, many organizations attach importance to security technology and less notice for security management. Based on the current theory results, this paper builds the Management-in-Depth System of Information Security that adaptive to information security technology. This work enhances the connection between security management and security technology, and heightens the status of risk management.
Under the guidance of this theory, this paper build the improved risk assessment model based on PADIMEE model and ISO/IEC 17799, and finishes the database design and software design of information security system risk assessment kit. The result increases the efficiency of risk assessment work, enhances the reliability and comparability of risk assessment result, and develops the information security management of our country.
引文
[1] 郭顺利.信息系统管理和控制目标体系COBIT研究及应用.www.cnki.net.2003,5
[2] 魏春光.北京电子政务系统安全策略.www.cnki.net.2003,5
[3] 黄元飞.信息技术安全性评估准则研究.www.cnki.net.2002,5
[4] 李守鹏.信息安全及其模型与评估的几点新思路.www.cnki.net.2002,5
[5] 梁晖.现在制造系统中的信息网络安全.www.cnki.net.2002,5
[6] 刘春年.网络信息安全保险研究.www.cnki.net.2002,5
[7] 袁德刚.特定信息系统安全体系设计.www.cnki.net.2002,5
[8] 秦保社.社会保险管理信息系统的设计与实现.www.cnki.net.2002,5
[9] 王春.电子商务交易平台安全架构的研究与应用.www.cnki.net.2002.5
[10] 田珂.CIMS中信息安全模型的建立及技术实现.www.cnki.net.2002,5
[11] 熊正光.VPN 产品中 IPSec 协议分析及产品的测试方法研究.www.cnki.net.2002,5
[12] 张芳云.网上证券交易安全技术研究.www.cnki.net.2002,5
[13] 马永祥.信息系统的安全研究.www.cnki.net.2002,5
[14] 詹彩云.信贷管理专家系统的设计与实现.www.cnki.net.2002,5
[15] 焦鹏.软件项目风险评估方法的研究.www.cnki.net.2003,5
[16] 朱晓静.网络银行运作中的风险管理.www.cnki.net.2002,5
[17] 吴世忠.基于风险管理的信息安全保障的研究.www.cnki.net.2002,5
[18] 谢彬.IT项目风险管理理论与实践.www.cnki.net.2003,5
[19] 卞莹.基于BS7799风险评估数据库系统设计与实现.中国科学技术大学.2003,5
[20] 廖泉文主编.人力资源发展系统.济南:山东人民出版社.2000,4
[21] 宋如顺.安全技术的安全风险分析与评估.计算机工程与应用.2001,12,24.83
[22] 姚孝明,陈健民.电子商务安全的风险分析与防范技术.计算机与现代化.2001,7.22
[23] 郭红芳,曾向阳.风险分析方法研究.计算机工程.2001,3,27.3.131
[24] 颜兆林,龚时雨,周经伦.概率风险评价系统.计算及应用研究.2001,2.40
[25] 宋如顺.信息系统安全风险综合分析方法.计算机工程.2000,12,26,12.33
[26] 余坚,郑跃斌.信息系统开发过程风险管理的实施模型.计算机工程与应用.2002,12,110
[27] 崔宝灵,鞠晓峰.SSE-CMM模型结构特征综述.高技术通讯.2001,5.101
[28] 宋如顺.基于SSE-CMM的信息系统安全风险评估.计算及应用研究.2000,11.13
[29] 钱刚.基于SSE-CMM的信息系统安全风险评估方法研究.计算机工程.2002,9,28,9.98
[30] 石文昌,孙玉芳.计算机安全标准演化与安全产品发展.广西科学.2001,8.168
[31] 石文昌,孙玉芳.CC标准框架下安全确信度的定量描述方法.广西科学.20012,9.1
[32] 江常青,吴世忠.一种信息系统安全测度的框架.信息安全与通信保密.26
[33] 国家烟草专卖局信息化工作领导小组办公室.烟草行业计算机网络和信息安全技术与管理规范.国家烟草专卖局烟草经济信息中心.2002,12
[34] 科飞管理咨询公司编著.信息安全管理概论——BS 7799理解与实施.机械工业出版社.2002
[35] 前导工作室译.网络安全技术内幕.机械工业出版社.2001
[36] E.Eugene Schultz著.网络安全事件响应.人民邮电出版社.2002
[37] 张维明,肖卫东等著.信息系统工程.电子工业出版社.2003
[38] 巨乃岐,欧仕金等著.信息安全——网络世界的保护神.军事科学出版社.2003
[39] 思乐安全体系方案。http:www.chinabbc.org
[40] 层次分析法.http://www.bast.cn.net/kxmc/index3.htm
[41] C J Tarr, Dr P Kinsman. Thr Validity Of Security Risk Assessment. IEEE. 1996
[42] Nick Larson, Andrew Kusiak. Managing design processes a risk assessment approach. IEEE. 1996,9,26,6.749
[43] Steven R. Trammell, Ronald D. Wright, Integrating risk assessment into management systems, IEEE, 1999.156
[44] Ray Madachy, Knowledge-based risk assessment and cost estimation, IEEE. 1994. 172
[45] Jan Qycind Aagedal, Folker den Braber. Model-based risk assessment to improve enterprise security. IEEE. 2002
[46] Hany H. Ammar. Risk assessment of software-system specifications. IEEE. 2001. 171
[47] ISO/IEC 17799-2000:Information technology——Code of practice for information security management.2000,12
[48] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model. 1999, 8
[49] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements. 1999,8
[50] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements. 1999,8
[51] Common Evaluation Methodology for Information Technology Security Part 1: Introduction and general model. 1997,1
[52] Common Evaluation Methodology for Information Technology Security Part 2: Evaluation Methodology. 1999,8
[53] ISO,IEC.Information Technology-Guidelines for the Management of IT Security-Part 1: Concepts and Models for IT Security.2001.4
[54] ISO,IEC.Information Technology-Guidelines for the Management of IT Security-Part 2: Managing and Planning IT Security.2001,4
[55] ISO,IEC.Information Technology-Guidelines for the Management of IT Security-Part 3: Techniques for the Management of IT Security. 1998
[56] ISO,IEC.Information Technology-Guidelines for the Management of IT Security-Part 4: Selection of Safeguards.ISO.2000,3
[57] ISO.IEC.Information Technology-Guidelines for the Management of IT Security-Part 5: Management Guidance on Network Security.200,10
[58] NSA. The Information Assurance Technical Framework. NSA. 2002,9
[59] Thomas R. Peltier. Information Security Risk Analysis. 2001
[60] Yacov Y. Haimes. Risk Modeling, Assessment, and Managemen. 2002
[61] The Newly Revised Part2 of BS 7799, www.xisec.com
[62] Introduction to Security Risk Analysis. http://s11.sitemeter.com
[63] P~2DR. http://bj.is-one.net/solution/p2dr.shtml
[64] PADIEE. http://bj.is-one.net/solution/padimee.shtml
[2] 魏春光.北京电子政务系统安全策略.www.cnki.net.2003,5
[3] 黄元飞.信息技术安全性评估准则研究.www.cnki.net.2002,5
[4] 李守鹏.信息安全及其模型与评估的几点新思路.www.cnki.net.2002,5
[5] 梁晖.现在制造系统中的信息网络安全.www.cnki.net.2002,5
[6] 刘春年.网络信息安全保险研究.www.cnki.net.2002,5
[7] 袁德刚.特定信息系统安全体系设计.www.cnki.net.2002,5
[8] 秦保社.社会保险管理信息系统的设计与实现.www.cnki.net.2002,5
[9] 王春.电子商务交易平台安全架构的研究与应用.www.cnki.net.2002.5
[10] 田珂.CIMS中信息安全模型的建立及技术实现.www.cnki.net.2002,5
[11] 熊正光.VPN 产品中 IPSec 协议分析及产品的测试方法研究.www.cnki.net.2002,5
[12] 张芳云.网上证券交易安全技术研究.www.cnki.net.2002,5
[13] 马永祥.信息系统的安全研究.www.cnki.net.2002,5
[14] 詹彩云.信贷管理专家系统的设计与实现.www.cnki.net.2002,5
[15] 焦鹏.软件项目风险评估方法的研究.www.cnki.net.2003,5
[16] 朱晓静.网络银行运作中的风险管理.www.cnki.net.2002,5
[17] 吴世忠.基于风险管理的信息安全保障的研究.www.cnki.net.2002,5
[18] 谢彬.IT项目风险管理理论与实践.www.cnki.net.2003,5
[19] 卞莹.基于BS7799风险评估数据库系统设计与实现.中国科学技术大学.2003,5
[20] 廖泉文主编.人力资源发展系统.济南:山东人民出版社.2000,4
[21] 宋如顺.安全技术的安全风险分析与评估.计算机工程与应用.2001,12,24.83
[22] 姚孝明,陈健民.电子商务安全的风险分析与防范技术.计算机与现代化.2001,7.22
[23] 郭红芳,曾向阳.风险分析方法研究.计算机工程.2001,3,27.3.131
[24] 颜兆林,龚时雨,周经伦.概率风险评价系统.计算及应用研究.2001,2.40
[25] 宋如顺.信息系统安全风险综合分析方法.计算机工程.2000,12,26,12.33
[26] 余坚,郑跃斌.信息系统开发过程风险管理的实施模型.计算机工程与应用.2002,12,110
[27] 崔宝灵,鞠晓峰.SSE-CMM模型结构特征综述.高技术通讯.2001,5.101
[28] 宋如顺.基于SSE-CMM的信息系统安全风险评估.计算及应用研究.2000,11.13
[29] 钱刚.基于SSE-CMM的信息系统安全风险评估方法研究.计算机工程.2002,9,28,9.98
[30] 石文昌,孙玉芳.计算机安全标准演化与安全产品发展.广西科学.2001,8.168
[31] 石文昌,孙玉芳.CC标准框架下安全确信度的定量描述方法.广西科学.20012,9.1
[32] 江常青,吴世忠.一种信息系统安全测度的框架.信息安全与通信保密.26
[33] 国家烟草专卖局信息化工作领导小组办公室.烟草行业计算机网络和信息安全技术与管理规范.国家烟草专卖局烟草经济信息中心.2002,12
[34] 科飞管理咨询公司编著.信息安全管理概论——BS 7799理解与实施.机械工业出版社.2002
[35] 前导工作室译.网络安全技术内幕.机械工业出版社.2001
[36] E.Eugene Schultz著.网络安全事件响应.人民邮电出版社.2002
[37] 张维明,肖卫东等著.信息系统工程.电子工业出版社.2003
[38] 巨乃岐,欧仕金等著.信息安全——网络世界的保护神.军事科学出版社.2003
[39] 思乐安全体系方案。http:www.chinabbc.org
[40] 层次分析法.http://www.bast.cn.net/kxmc/index3.htm
[41] C J Tarr, Dr P Kinsman. Thr Validity Of Security Risk Assessment. IEEE. 1996
[42] Nick Larson, Andrew Kusiak. Managing design processes a risk assessment approach. IEEE. 1996,9,26,6.749
[43] Steven R. Trammell, Ronald D. Wright, Integrating risk assessment into management systems, IEEE, 1999.156
[44] Ray Madachy, Knowledge-based risk assessment and cost estimation, IEEE. 1994. 172
[45] Jan Qycind Aagedal, Folker den Braber. Model-based risk assessment to improve enterprise security. IEEE. 2002
[46] Hany H. Ammar. Risk assessment of software-system specifications. IEEE. 2001. 171
[47] ISO/IEC 17799-2000:Information technology——Code of practice for information security management.2000,12
[48] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model. 1999, 8
[49] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements. 1999,8
[50] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements. 1999,8
[51] Common Evaluation Methodology for Information Technology Security Part 1: Introduction and general model. 1997,1
[52] Common Evaluation Methodology for Information Technology Security Part 2: Evaluation Methodology. 1999,8
[53] ISO,IEC.Information Technology-Guidelines for the Management of IT Security-Part 1: Concepts and Models for IT Security.2001.4
[54] ISO,IEC.Information Technology-Guidelines for the Management of IT Security-Part 2: Managing and Planning IT Security.2001,4
[55] ISO,IEC.Information Technology-Guidelines for the Management of IT Security-Part 3: Techniques for the Management of IT Security. 1998
[56] ISO,IEC.Information Technology-Guidelines for the Management of IT Security-Part 4: Selection of Safeguards.ISO.2000,3
[57] ISO.IEC.Information Technology-Guidelines for the Management of IT Security-Part 5: Management Guidance on Network Security.200,10
[58] NSA. The Information Assurance Technical Framework. NSA. 2002,9
[59] Thomas R. Peltier. Information Security Risk Analysis. 2001
[60] Yacov Y. Haimes. Risk Modeling, Assessment, and Managemen. 2002
[61] The Newly Revised Part2 of BS 7799, www.xisec.com
[62] Introduction to Security Risk Analysis. http://s11.sitemeter.com
[63] P~2DR. http://bj.is-one.net/solution/p2dr.shtml
[64] PADIEE. http://bj.is-one.net/solution/padimee.shtml