中国人民银行计算机信息安全管理的问题与对策研究
|
摘要
人类在信息的海洋中生存和发展,正是通过信息来区别不同事物、认识不同事物和改造世界的。信息安全,尤其是金融行业的信息安全,一直是上至国家领导、下至黎民百姓都十分关注的话题。随着我国信息化的日益推进,国民经济和社会发展对网络和信息系统的依赖越来越紧密,尤其是银行、证券等行业的信息系统已经成为国家重要基础设施,这些信息系统的安全运行直接关系到国家的安全、人民的利益和社会的稳定。然而,我国金融行业信息系统安全问题并不容乐观。当前,虽然我国出台了一些相关政策和管理办法,但据专家分析,由于专职的安全监管机构的缺失,使得信息系统安全工作很难落实。近些年来,国内外发生的一系列事件表明,如果重要信息系统没有一定的安全防范能力,一旦发生重大事故或遭遇突发事件,将会造成无可挽回的经济损失。我国相关部门对信息安全工作十分重视,国务院信息化工作办公室司长王渝次曾指出,灾难恢复是信息安全保障的重要的基础性工作,做好国家重要信息系统灾难恢复工作,提高其抵御灾难和重大事故的能力,对于确保重要信息系统数据安全和业务的连续性,保障社会经济的稳定是非常重要的。2003年颁发的《国家信息化领导小组关于加强信息安全保障工作的意见》,对重要信息系统的安全做出了明确要求。2004年,国务院信息办又组织起草了《重要信息系统灾难恢复指南》,并印发给各基础信息网络和重要信息系统主管部门。然而,金融行业的信息化虽然取得了快速发展,但其背后隐藏着可怕的问题:虽然在实现了数据大集中的银行企业中,有80%的企业都做了系统灾难备份中心的建设,但真正能实现业务连续管理的,估计只有15%左右。最近,银行业系统故障不断。就在2006年,中国建设银行总行转账系统发生通信故障,数小时后系统才恢复正常。此事件殃及在中国建设银行投资证券公司全国70余家营业部开户的200万股民,致使股民们因无法进行转账交易而受到经济损失。而在这之后,银联因通信网络和主机出现故障造成全国多省市无法刷卡长达7小时,究竟造成了多大的损失,尚无可靠数据。而近期发生的网银大盗横行网络的一系列事件,也再一次为网络银行系统的信息安全敲响了警钟。
随着银行业务系统顺应趋势的开放和互连,其信息安全范畴已经突破了以业务系统物理隔离和协议隔离为基础的传统银行信息安全。我们必须在一个日趋开放的系统平台上重新审视银行的信息安全问题。金融系统(银行、保险、证券)是国家政策要求实施安全等级保护的11大类关键信息基础设施的重点系统。因此,如何建立一个高效的现代信息安全体系,日益成为突出的问题。
People are surviving and developing in the ocean of information, it is through the information that people are distinguishing different things, recognize different things and reconstruct the world. Information security, especially in financial industry, is always the focus theme of both national leaders and common people. As the increasing advance of informationization in our country, the development of national economy and society are more and more depending on network and information system, even the information system of some industries such as bank and securities has become important basic facilities, of which the safe status is directly related to security of our country, people’s interest and stability of the society. However, the information security of the financial industry in our country is cloudy. At present, our country has issued some concerned policies and administration measures, but according to experts’analysis, the lack of professional security supervision organs has resulted in ineffectiveness information system security. In recent years, a series of affairs happened in domestic and overseas indicate that if without certain security precaution ability on important information system, once suffering from big accidents or sudden matters, it will lead to irreparable economic losses. The interrelated departments in our country pay much attention to information security. The chairman of State Department informationization office Wang Yuci has pointed out that disaster restoration is an important base job for information security guarantee. In addition, to do the restoration job well, to improve prevention ability against disaster and sudden affaires have significant sense for the safety of important information system data, the continuity of business and the stability of social economy.“The opinion of national information leadership team on enhancement of information security”, issued in 2003, providing clearly about the security of important information system. In 2004, the State Department information office has again drawn up“manual on disaster restoration of important information system”and dispensed to the superintended departments of basic information network and important information system. However, the rapid development of informationization in financial industry has brought terrible problems behind: among all the banks realized data concentrated, 80% have constructed system disaster duplicate centers, but only about 15% have actualized business continuous administration. Lately, faults are appearing continuously in banks. In 2006, China Construction Bank had correspondence breakdown in investment account system in the chief bank and it recovered after several hours, incurring great losses to 2 million shareholders due to not being able to transferring transaction in about 70 sales departments of China Construction Bank investment securities companies. Subsequently, China UnionPay had great faults in communication network and host computer, people in most provinces could not use credit card up to 7 hours, how huge losses it caused, not having the reliable data till now. And a great deal of network bank theft affairs happened recently knocked the alarm bell for information security of network bank system.
With the trend of opening and interconnection of the bank system, the category of information security was wider than that of the traditional bank system which based on the physical isolation of business system and isolation by agreement. We must review again the information safety of the bank by means of a gradually developing system platform. Financial system (bank, insurance, securities) is the critical system among 11 categories of key information foundational facilities which required by the national government to implement grade protection. Therefore, how to set up an efficient modern information security system becomes a highlighted question increasingly.
随着银行业务系统顺应趋势的开放和互连,其信息安全范畴已经突破了以业务系统物理隔离和协议隔离为基础的传统银行信息安全。我们必须在一个日趋开放的系统平台上重新审视银行的信息安全问题。金融系统(银行、保险、证券)是国家政策要求实施安全等级保护的11大类关键信息基础设施的重点系统。因此,如何建立一个高效的现代信息安全体系,日益成为突出的问题。
People are surviving and developing in the ocean of information, it is through the information that people are distinguishing different things, recognize different things and reconstruct the world. Information security, especially in financial industry, is always the focus theme of both national leaders and common people. As the increasing advance of informationization in our country, the development of national economy and society are more and more depending on network and information system, even the information system of some industries such as bank and securities has become important basic facilities, of which the safe status is directly related to security of our country, people’s interest and stability of the society. However, the information security of the financial industry in our country is cloudy. At present, our country has issued some concerned policies and administration measures, but according to experts’analysis, the lack of professional security supervision organs has resulted in ineffectiveness information system security. In recent years, a series of affairs happened in domestic and overseas indicate that if without certain security precaution ability on important information system, once suffering from big accidents or sudden matters, it will lead to irreparable economic losses. The interrelated departments in our country pay much attention to information security. The chairman of State Department informationization office Wang Yuci has pointed out that disaster restoration is an important base job for information security guarantee. In addition, to do the restoration job well, to improve prevention ability against disaster and sudden affaires have significant sense for the safety of important information system data, the continuity of business and the stability of social economy.“The opinion of national information leadership team on enhancement of information security”, issued in 2003, providing clearly about the security of important information system. In 2004, the State Department information office has again drawn up“manual on disaster restoration of important information system”and dispensed to the superintended departments of basic information network and important information system. However, the rapid development of informationization in financial industry has brought terrible problems behind: among all the banks realized data concentrated, 80% have constructed system disaster duplicate centers, but only about 15% have actualized business continuous administration. Lately, faults are appearing continuously in banks. In 2006, China Construction Bank had correspondence breakdown in investment account system in the chief bank and it recovered after several hours, incurring great losses to 2 million shareholders due to not being able to transferring transaction in about 70 sales departments of China Construction Bank investment securities companies. Subsequently, China UnionPay had great faults in communication network and host computer, people in most provinces could not use credit card up to 7 hours, how huge losses it caused, not having the reliable data till now. And a great deal of network bank theft affairs happened recently knocked the alarm bell for information security of network bank system.
With the trend of opening and interconnection of the bank system, the category of information security was wider than that of the traditional bank system which based on the physical isolation of business system and isolation by agreement. We must review again the information safety of the bank by means of a gradually developing system platform. Financial system (bank, insurance, securities) is the critical system among 11 categories of key information foundational facilities which required by the national government to implement grade protection. Therefore, how to set up an efficient modern information security system becomes a highlighted question increasingly.
引文
[1]刘默玲信息系统安全体系[J].广东广播电视大学学报, 2002.
[2]王晔信息技术[M] .中国科技投资2008.2.
[3]韩梅刘凌霜浅谈计算机信息系统的安全[J].信息技术, 2002.
[4]李彦旭巴大志成立.网络信息安全技术综述[J].半导体技术, 2002.
[5]袁皓杨晓懿信息安全模型安全控制研究[J].信息安全与通信保密,2007.
[6]金锐警惕基层人行“三论”抬头[N].中国改革报, 2003.
[7]周兆新信息安全管理人才缺口达百万[N].中国人事报, 2004.
[8]陈维高赵华奎要重视信息安全管理[N].战士报, 2004.
[9]吴荣亮做好改革时期基层人行工作[N].上海金融报, 2003.
[10]蒋春芳岳超源陈太一信息系统安全体系结构的有关问题研究[J].计算机工程与应用, 2004.
[11]周久枨“三定”调整:基层人行有喜有忧更有期盼[N].经理日报, 2003.
[12]夏珑浅析网络银行安全体系[J].信息网络安全2007.12.
[13]张四清费明洪基层农发行信息技术改进思路[J].金融电子化2008.2.
[14]窦丽华蒋庆华李晨晖基于Web的信息系统安全研究[J].北京理工大学学报, 2002.
[15]刘长春网络的安全隐患及其对策[J] .商场现代化,2008.5.
[16]蒋萍我国计算机网络及信息安全存在的问题与对策[J].矿山机械2007年35卷10期.
[17]王小平.信息安全管理:是一个没有终点的过程[N].金融时报, 2005.
[18]胡英.信息安全管理将有标准可依[N].计算机世界, 2003.
[19]权双燕计算机密码学[M] .福建电脑2008.3.
[20]黄澄清谈中国互联网信息安全与综合治理[J].信息网络安全2007.12.
[21]周国强鲍淑娣雷世荣.基于分布信息系统的安全模型的研究[J].南京邮电学院学报(自然科学版) , 2002.
[22]王科计算机网络的安全与防范[J] .中小企业管理与科技2008.3.
[23]刘道荣三条路径助力基层人行计算机信息安全管理[N].金融时报, 2006.
[24]蔡卫信息系统安全管理中亟待解决的若干问题[J].信息安全与通信保密, 2002.
[25]文铁华胡湘陵谷士文信息系统安全问题[J].华中师范大学学报(自然科学版) , 2003.
[26]赵馨基于Web的企业管理信息系统安全方案设[J]计.集团经济研究2007.12.
[27]朱福喜Java项目设计与开发范例[M].北京:电子工业出版社,2005.
[28]张晓东江苏联通加强信息安全管理[N].人民邮电, 2003.
[29]陈春玲2007年十大计算机流行病毒[J].计算机与网络2007年24期.
[30]史劲计算机信息系统的安全防范[J].公安学刊:浙江公安高等专科学校学报2007年6期.
[31]张爱民科学发展话保密[J].政工学刊2007年10期.
[32]杜庆川陈冠旭.某炮兵团加强信息安全管理[N].前进报, 2004.
[33]王纯滨浅议计算机网络信息安全管理[J].民营科技2007年11期.
[34] The FALCON decision support system: Preparing communities for weapons of opportunity article Environmental Modelling & Software[J], Volume 22, Issue 4, Pages 431-435(2007) .
[35] Computer-aided assembly planning for the diemaking industry ARTICLE Robotics and Computer-Integrated Manufacturing[J], Volume 22, Issues 5-6, Pages 409-419(2006).
[36] Fiona Fui-Hoon Nah, Ping Zhang, Scott McCoy and Mun Y. Yi .Human–computer interaction research in the management information systems discipline editorial International Journal of Human-Computer Studies[M], Volume 64, Issue 9, Pages 787-788(2006) .
[37] Carsten Fuchs, Lorenzo Quinzio. Integration of a handheld based anaesthesia rounding system into an anaesthesia information management system ARTICLE International Journal of Medical Informatics[M], Volume 75, Issue 7,Pages 553-563(2006) .
[38] Bing Nan Li, Sam Chao and Ming Chui Dong A blood bank information system and its 5-year implementation at Macau ARTICLE Computers in Biology and Medicine[M], In Press, Corrected Proof, Available online 7( 2006) .
[39] Hemosoft: a new software for blood bank and apheresis management article Transfusion and Apheresis Science[M], Volume 30, Issue 3,Pages 193-196 (2006).
[40] Janine L. Spears.The Effects of User Participation in Identifying Information Security Risk in Business Processes.Special Interest Group on Computer Personnel Research Annual Conference,California,2006:351~352.
[41] Huiyong Guo,Ling Zhang . A Weighted Balance Evidence Theory for Structural Multiple Damage Localization[M].Computer Methods in Applied Mechanics and Engineering,2006,195(44):6225~6238.
[42] Bruce Eckel.Thinking in Java(4th Edition)[M]. New York:Prentice Hall PTR,2006.
[43] Franz Rottensteiner,John Trinder.Using the Dempater-Shafer Method for theFusion of LIDAR Data and Multi-spectral Images for BuildingDetection[M].Fusion of Remotely Sensed Data over Urban Areas,2005.
[44] Wang Ping,Yang Genqing.Improvement Method for the Combining Rule of Dempster-Shafer Evidence Theory Based on Reliability[J].Journal of Systems Engineering and Electronics,2005.
[2]王晔信息技术[M] .中国科技投资2008.2.
[3]韩梅刘凌霜浅谈计算机信息系统的安全[J].信息技术, 2002.
[4]李彦旭巴大志成立.网络信息安全技术综述[J].半导体技术, 2002.
[5]袁皓杨晓懿信息安全模型安全控制研究[J].信息安全与通信保密,2007.
[6]金锐警惕基层人行“三论”抬头[N].中国改革报, 2003.
[7]周兆新信息安全管理人才缺口达百万[N].中国人事报, 2004.
[8]陈维高赵华奎要重视信息安全管理[N].战士报, 2004.
[9]吴荣亮做好改革时期基层人行工作[N].上海金融报, 2003.
[10]蒋春芳岳超源陈太一信息系统安全体系结构的有关问题研究[J].计算机工程与应用, 2004.
[11]周久枨“三定”调整:基层人行有喜有忧更有期盼[N].经理日报, 2003.
[12]夏珑浅析网络银行安全体系[J].信息网络安全2007.12.
[13]张四清费明洪基层农发行信息技术改进思路[J].金融电子化2008.2.
[14]窦丽华蒋庆华李晨晖基于Web的信息系统安全研究[J].北京理工大学学报, 2002.
[15]刘长春网络的安全隐患及其对策[J] .商场现代化,2008.5.
[16]蒋萍我国计算机网络及信息安全存在的问题与对策[J].矿山机械2007年35卷10期.
[17]王小平.信息安全管理:是一个没有终点的过程[N].金融时报, 2005.
[18]胡英.信息安全管理将有标准可依[N].计算机世界, 2003.
[19]权双燕计算机密码学[M] .福建电脑2008.3.
[20]黄澄清谈中国互联网信息安全与综合治理[J].信息网络安全2007.12.
[21]周国强鲍淑娣雷世荣.基于分布信息系统的安全模型的研究[J].南京邮电学院学报(自然科学版) , 2002.
[22]王科计算机网络的安全与防范[J] .中小企业管理与科技2008.3.
[23]刘道荣三条路径助力基层人行计算机信息安全管理[N].金融时报, 2006.
[24]蔡卫信息系统安全管理中亟待解决的若干问题[J].信息安全与通信保密, 2002.
[25]文铁华胡湘陵谷士文信息系统安全问题[J].华中师范大学学报(自然科学版) , 2003.
[26]赵馨基于Web的企业管理信息系统安全方案设[J]计.集团经济研究2007.12.
[27]朱福喜Java项目设计与开发范例[M].北京:电子工业出版社,2005.
[28]张晓东江苏联通加强信息安全管理[N].人民邮电, 2003.
[29]陈春玲2007年十大计算机流行病毒[J].计算机与网络2007年24期.
[30]史劲计算机信息系统的安全防范[J].公安学刊:浙江公安高等专科学校学报2007年6期.
[31]张爱民科学发展话保密[J].政工学刊2007年10期.
[32]杜庆川陈冠旭.某炮兵团加强信息安全管理[N].前进报, 2004.
[33]王纯滨浅议计算机网络信息安全管理[J].民营科技2007年11期.
[34] The FALCON decision support system: Preparing communities for weapons of opportunity article Environmental Modelling & Software[J], Volume 22, Issue 4, Pages 431-435(2007) .
[35] Computer-aided assembly planning for the diemaking industry ARTICLE Robotics and Computer-Integrated Manufacturing[J], Volume 22, Issues 5-6, Pages 409-419(2006).
[36] Fiona Fui-Hoon Nah, Ping Zhang, Scott McCoy and Mun Y. Yi .Human–computer interaction research in the management information systems discipline editorial International Journal of Human-Computer Studies[M], Volume 64, Issue 9, Pages 787-788(2006) .
[37] Carsten Fuchs, Lorenzo Quinzio. Integration of a handheld based anaesthesia rounding system into an anaesthesia information management system ARTICLE International Journal of Medical Informatics[M], Volume 75, Issue 7,Pages 553-563(2006) .
[38] Bing Nan Li, Sam Chao and Ming Chui Dong A blood bank information system and its 5-year implementation at Macau ARTICLE Computers in Biology and Medicine[M], In Press, Corrected Proof, Available online 7( 2006) .
[39] Hemosoft: a new software for blood bank and apheresis management article Transfusion and Apheresis Science[M], Volume 30, Issue 3,Pages 193-196 (2006).
[40] Janine L. Spears.The Effects of User Participation in Identifying Information Security Risk in Business Processes.Special Interest Group on Computer Personnel Research Annual Conference,California,2006:351~352.
[41] Huiyong Guo,Ling Zhang . A Weighted Balance Evidence Theory for Structural Multiple Damage Localization[M].Computer Methods in Applied Mechanics and Engineering,2006,195(44):6225~6238.
[42] Bruce Eckel.Thinking in Java(4th Edition)[M]. New York:Prentice Hall PTR,2006.
[43] Franz Rottensteiner,John Trinder.Using the Dempater-Shafer Method for theFusion of LIDAR Data and Multi-spectral Images for BuildingDetection[M].Fusion of Remotely Sensed Data over Urban Areas,2005.
[44] Wang Ping,Yang Genqing.Improvement Method for the Combining Rule of Dempster-Shafer Evidence Theory Based on Reliability[J].Journal of Systems Engineering and Electronics,2005.