节点文献
信息安全管理系统模型设计与实现
Design and Implementation of Information Security System Model
【作者】 夏楠;
【导师】 李忠献;
【作者基本信息】 北京邮电大学 , 信息安全, 2013, 硕士
【摘要】 随着社会信息化时代的来临,信息资源对信息化社会的重要程度越来越大。从人们的日常工作生活、企业管理到国家管理,信息资源都是必不可少的关键资源,现代社会的发展,都需要各种信息资源的支持。但是信息在信息化社会发展中的作用越来越重要的同时,随之而来的信息安全问题也变得日益严重,亟需对信息加以安全保护及安全管理。目前,许多标准化组织都提出了各自的信息安全管理的体系标准和模型,这些标准在某些行业,例如电信行业等,得到了很好的应用;并且目前,许多公司已经将信息安全管理工作纳入到了公司的日常管理中,信息安全管理得到了很多企业的高度重视。但是,如果企业仅仅按照信息安全管理标准中的规定,建设了所需的所有文档,而没有信息安全管理系统支撑信息安全管理体系,那么企业是无法有效进行信息安全管理。信息安全管理系统在信息安全管理中占有非常重要的作用,为信息安全管理提供支撑及实施的落地。本文首先调研分析国内的主要信息安全管理系统,发现这些信息安全管理系统普遍存在的问题包括以下四点:(1)资产和资产所承载的业务之间没有关联,这些信息安全管理系统都仅仅反应了单独资产的安全状况,没有反映出将资产所承载的整体业务系统的安全状况。(2)目前国内的信息安全管理系统多为被动式安全管理,当安全事件已经发生时,才能检测出来,无法做到提前预防。(3)缺乏拓扑管理。(4)缺乏对整个生命周期的资产风险的动态跟踪分析,缺乏对资产风险的增加,消减,规避的动态跟踪。然后本文设计了一种新的信息安全管理系统模型,新的模型能够解决目前主流信息安全管理系统存在的问题。根据设计的信息安全管理系统模型,本文设计实现了一个信息安全管理系统,然后验证实现的信息安全管理系统解决了目前主流信息安全管理系统中存在的问题。但是上述的信息安全管理系统的风险管理是基于传统的以评估资产脆弱性为核心的风险评估结果。将信息安全管理系统应用在大型分布式信息系统中,例如工控系统,电力系统等时,并不是十分合适。本文首先阐述了传统风险评估方式应用在工业控制系统上的问题,然后设计了一种针对工业控制系统的面向业务的风险评估方式及隐患主机识别方法,并且通过一个应用实例验证了本方法的可行性。当信息安全管理系统应用在工业控制系统下时,其风险评估方式及资产识别方法要相应变化。
【Abstract】 As the coming of the information society, information resources are more and more important. Information resources are essential to daily lives of people, operations of organizations and management of countries, which are supporting development of modern societies. However, the security of Information resources is more and more critical. Nowadays, many organizations have published their information security management system standards and models, which are used efficiently by many business companies. Many business companies have put information security management crucial position. However, if a company only builds documents of information security management according information security management system standards, information security management does not execute efficiently without the support of information security management platform. The effect of information security management platform is very crucial to information security management executed efficiently.First, the paper analyzes characteristics of security management systems in China and finds four general problems existing in security management systems in China:(1) There has no relationship with properties and business system, all security management systems are able to reflect security levels of properties, however, only few security management systems are able to reflect security levels of business system as a whole.(2) Nowadays, many security management systems in China are executed passively, only when accidents happens, can systems detect threats, which cannot managed actively.(3) Many security management systems are lack of topology management, which do not support creation, deletion, modification and viewing of topology.(4) Many security management systems are lack of dynamic risk management, which cannot support creation, deletion and modification of risks through system life cycle. Second, according to these four general problems, the paper designs a new model of security management system that can solve the problems. Third, according to the new model of security management system, the paper implements a new information security management system and verifies how the new information security managefnent system can solve the problems existing in security management systems in China. However, the new information security management system is based on traditional methods of risk evaluation, when it is used by complex information systems, such as industrial control systems, electrical systems and so on, the new information security management system is not effective and appropriate. Forth, the paper analyze the reason why traditional methods of risk evaluation are not appropriate to complex information systems, and then, the paper introduces a new method of riks evaluation and vulnerable systems identification for industrial control system under lack of risk evaluation methods and lack of simulation platform for industrial control system environment. The new method of risk evaluation identifies system vulnerabilities from a kind of documents such as system requirements specification, system safety requirements and so on in order to solve the problems that industrial system can not be scanned by vulnerability scanning tool. The new methods of risk system identification can identify the most vulnerable systems efficiently using bayesian networks in order to solve the problems that the most vulnerable systems cannot be identified by huge vulnerability scanning tool results efficiently. At last, this paper gives an example to verify the effectiveness of the new methods of risk evaluation and vulnerable systems identification.