基于SCP~2DR~2的信息安全风险控制排序模型研究
|
摘要
随着步入科技创新时代及全球一体化进程的推进,信息技术的应用得到了迅速的普及,信息已经成为我国众多行业和领域的神经中枢,信息产业已成为世界经济发展的重要驱动力,信息化在调整经济结构、改造传统产业和提高人民生活质量等方面发挥着不可替代的作用。但随着我国信息产业和信息化建设高速的发展,企业经营的环境日趋复杂,竞争日益激烈,风险也伴随而生,黑客入侵加剧,病毒肆虐,信息泄露事件更是时有发生,这已成为困扰企业和企业管理人员的一个重要问题。信息的安全直接影响到这些企业和领域的日常工作和生产的正常运转,信息的可靠性和完整性将直接关系到企业的生存力和竞争力。因此,企业为了能够更好地利用信息并在市场竞争中占据有利地位,在信息化进一步发展的过程中必须考虑信息安全的风险控制。
对于企业而言,不同的行业,不同的应用甚至同一个企业的不同部门,对于信息安全的要求都有所不同,信息安全建设也并不是“越安全越好”。在信息安全领域进行风险控制是根据不同的安全需求尽可能的保护信息安全,保护信息的完整性、可用性、保密性,在可接受的成本范围内,识别并控制风险。企业只有掌握信息安全风险识别、评估、控制的方法,根据面临的不同风险,选出最有效的应对控制措施,才能保证信息的安全使用并充分享用信息技术带来的方便与快捷。面对全球一体化的互联网环境,绝大多数安全问题并不是因为技术的落后而是管理方面的缺陷,所以单靠技术不能解决所有信息安全问题,需要通过管理、技术、文化、法律等综合要素对风险进行控制。在企业面对错综复杂的威胁时,如何快速选择控制措施以提高安全防护和保障能力,这也是目前需要深入研究和亟待解决的重要课题。
本文写作的主要目的是使企业管理者能够更全面、更具体地了解信息安全风险,通过信息安全风险控制排序模型可以清晰地了解各种控制措施的优先级并选择相应的控制措施,从而有针对性地控制相关风险,降低风险给企业带来的损失,有效的保证企业生产经营的正常进行,提高企业核心竞争力,为企业的管理提供有力的保证,最终使企业能够实现预期的战略目标。
本文的研究框架主要包含以下六部分:
第一部分绪论。主要阐述了论文的研究背景和研究意义,介绍了国内外现状及本论文的研究框架。
第二部分信息安全风险控制理论。介绍了信息安全含义及特征,信息安全风险的含义、特征及构成要素。其次介绍了信息安全风险管理体系,其中包含信息安全风险评估方法——模糊数学理论、信息安全风险的识别等。为文章的进一步研究奠定了理论基石。
第三部分信息安全风险控制体系。重点阐述了信息安全风险控制流程,并对每一环节进行了详细的解释,其中包括:信息安全风险控制方式、信息安全风险控制措施等。
第四部分信息安全风险控制措施排序。该部分是论文的核心,首先介绍了安全控制P2DR模型、SCP2DR2模型,详细分析了两者的特点,并基于SCP2DR2模型对信息安全风险控制措施进行分类,在此基础上提出了信息安全风险控制措施排序模型,根据专家对每一种资产面临每一种威胁的同一类控制措施排序结果及倒数赋值法,对控制措施进行赋值,再利用资产权重及通过三角模糊数序理论、威胁与脆弱性的关系、脆弱性对资产的影响来计算威胁的权重,最终得到信息安全风险控制措施的综合排序。
第五部分排序模型在企业中的应用。选取了防护型控制措施,结合企业的具体实例,演绎了信息安全风险控制措施排序的过程。
第六部分结语。对全文的研究内容和研究成果总结,同时对论文研究过程中的不足及未来研究方向作以分析论述。
With the era of technological innovation and the globalization process, the application of information technology has been gaining rapidly popularity and become the nerve center in many industries and sectors. Information industry has become an important driver of economic development. It has played an irreplaceable role in adjusting economic structure, transforming traditional industries and improving people's quality of life. However, with China's information industry and the rapid development of information technology, business environments become complicated and the competition become fierce, associated with risk, hacking increased, virus outbreak, even when the information disclosure occurred, which has become an important issue troubled enterprises and management personnel. The security of information directly influence to these enterprises and domain routine work. The reliability and completeness of information will be directly related to the company's survival and competitiveness. Therefore, in order to make better use of business information and make market competition in a favorable position, information technology must be considered in the risk of information security controls in further development.
As for enterprises, different industries, different applications and even different departments of an enterprise, the requirements for information security are different. Information security is not "safe is better." Security risk management is based on different security needs in the maximum extent to protect information integrity, availability, confidentiality, at an acceptable cost range, identify and control risk. Only master information security risk identification, assessment, control methods, when enterprise can select the most effective response measures to ensure the safe use of information and enjoy the convenience and fast of information technology. Security problems are not because the technology falling behind its management deficiencies. So technology can not solve all the security issues, we still need effective management, technical, cultural, legal and other integrated elements of risk control. When enterprise face complicated threaten, how to select effective control measures to improve protection and support security is currently studied in depth and urgent issue.
The main purpose of this thesis is to enable the enterprise superintendents to be more comprehensive, understood specifically the information security risk. According to the risk control sorting model, we can clearly understand the priority of various control measures and select the appropriate control measures to control the risks, reduce the risk of loss to the enterprise to effectively guarantee normal operation and improve the core competitiveness of enterprise management. Ultimately providing a powerful guarantee enables enterprises to achieve the desired strategic objectives.
Framework of this study includes the following six main sections:
The first part:Introduction. This part primarily focused on the research background and study significance, introduced domestic and overseas situation, proposed main framework of this thesis.
The second part:Information security risk control theory. This section described the meaning and characteristics of information security including the meaning of security risk, characteristics and elements. Secondarily this part introduced the information security risk management system, which includes information security risk assessment method-fuzzy mathematics, information security risk identification. This part is the theoretical foundation for further research.
The third part:Information security risk control system. This section focused on the process of information security, risk control. It also gave detailed explanation of every aspect including:mode and measure of information security risk control.
The fourth part:Sorting of information security risk control measures. This section is the core part of the thesis which introduced security control P2DR model, SCP2DR2 model and gave a detail analysis of both models. The study classified the measures of risk control according to SCP2DR2 model for risk control and proposes sequence of control measures. Experts use a same type of risk control sorting on every kind of asset when facing the same threat. Then experts reuse assets on the control measures by the triangular fuzzy weights and the number of order theory, threat and vulnerability relationship, the impact of assets to calculate the weight of the threat. Ultimately get the process of information security risk control measures sequence.
The fifth part:Ranking model application in the enterprise. This section selected the type of protection control measure, combined with business specific examples, interpreting the process of sorting information security risk control measures.
The sixth part:Conclusion. This section is a summary part for the whole content. The thesis proposes the deficiency during the study and analysis for future research directions.
对于企业而言,不同的行业,不同的应用甚至同一个企业的不同部门,对于信息安全的要求都有所不同,信息安全建设也并不是“越安全越好”。在信息安全领域进行风险控制是根据不同的安全需求尽可能的保护信息安全,保护信息的完整性、可用性、保密性,在可接受的成本范围内,识别并控制风险。企业只有掌握信息安全风险识别、评估、控制的方法,根据面临的不同风险,选出最有效的应对控制措施,才能保证信息的安全使用并充分享用信息技术带来的方便与快捷。面对全球一体化的互联网环境,绝大多数安全问题并不是因为技术的落后而是管理方面的缺陷,所以单靠技术不能解决所有信息安全问题,需要通过管理、技术、文化、法律等综合要素对风险进行控制。在企业面对错综复杂的威胁时,如何快速选择控制措施以提高安全防护和保障能力,这也是目前需要深入研究和亟待解决的重要课题。
本文写作的主要目的是使企业管理者能够更全面、更具体地了解信息安全风险,通过信息安全风险控制排序模型可以清晰地了解各种控制措施的优先级并选择相应的控制措施,从而有针对性地控制相关风险,降低风险给企业带来的损失,有效的保证企业生产经营的正常进行,提高企业核心竞争力,为企业的管理提供有力的保证,最终使企业能够实现预期的战略目标。
本文的研究框架主要包含以下六部分:
第一部分绪论。主要阐述了论文的研究背景和研究意义,介绍了国内外现状及本论文的研究框架。
第二部分信息安全风险控制理论。介绍了信息安全含义及特征,信息安全风险的含义、特征及构成要素。其次介绍了信息安全风险管理体系,其中包含信息安全风险评估方法——模糊数学理论、信息安全风险的识别等。为文章的进一步研究奠定了理论基石。
第三部分信息安全风险控制体系。重点阐述了信息安全风险控制流程,并对每一环节进行了详细的解释,其中包括:信息安全风险控制方式、信息安全风险控制措施等。
第四部分信息安全风险控制措施排序。该部分是论文的核心,首先介绍了安全控制P2DR模型、SCP2DR2模型,详细分析了两者的特点,并基于SCP2DR2模型对信息安全风险控制措施进行分类,在此基础上提出了信息安全风险控制措施排序模型,根据专家对每一种资产面临每一种威胁的同一类控制措施排序结果及倒数赋值法,对控制措施进行赋值,再利用资产权重及通过三角模糊数序理论、威胁与脆弱性的关系、脆弱性对资产的影响来计算威胁的权重,最终得到信息安全风险控制措施的综合排序。
第五部分排序模型在企业中的应用。选取了防护型控制措施,结合企业的具体实例,演绎了信息安全风险控制措施排序的过程。
第六部分结语。对全文的研究内容和研究成果总结,同时对论文研究过程中的不足及未来研究方向作以分析论述。
With the era of technological innovation and the globalization process, the application of information technology has been gaining rapidly popularity and become the nerve center in many industries and sectors. Information industry has become an important driver of economic development. It has played an irreplaceable role in adjusting economic structure, transforming traditional industries and improving people's quality of life. However, with China's information industry and the rapid development of information technology, business environments become complicated and the competition become fierce, associated with risk, hacking increased, virus outbreak, even when the information disclosure occurred, which has become an important issue troubled enterprises and management personnel. The security of information directly influence to these enterprises and domain routine work. The reliability and completeness of information will be directly related to the company's survival and competitiveness. Therefore, in order to make better use of business information and make market competition in a favorable position, information technology must be considered in the risk of information security controls in further development.
As for enterprises, different industries, different applications and even different departments of an enterprise, the requirements for information security are different. Information security is not "safe is better." Security risk management is based on different security needs in the maximum extent to protect information integrity, availability, confidentiality, at an acceptable cost range, identify and control risk. Only master information security risk identification, assessment, control methods, when enterprise can select the most effective response measures to ensure the safe use of information and enjoy the convenience and fast of information technology. Security problems are not because the technology falling behind its management deficiencies. So technology can not solve all the security issues, we still need effective management, technical, cultural, legal and other integrated elements of risk control. When enterprise face complicated threaten, how to select effective control measures to improve protection and support security is currently studied in depth and urgent issue.
The main purpose of this thesis is to enable the enterprise superintendents to be more comprehensive, understood specifically the information security risk. According to the risk control sorting model, we can clearly understand the priority of various control measures and select the appropriate control measures to control the risks, reduce the risk of loss to the enterprise to effectively guarantee normal operation and improve the core competitiveness of enterprise management. Ultimately providing a powerful guarantee enables enterprises to achieve the desired strategic objectives.
Framework of this study includes the following six main sections:
The first part:Introduction. This part primarily focused on the research background and study significance, introduced domestic and overseas situation, proposed main framework of this thesis.
The second part:Information security risk control theory. This section described the meaning and characteristics of information security including the meaning of security risk, characteristics and elements. Secondarily this part introduced the information security risk management system, which includes information security risk assessment method-fuzzy mathematics, information security risk identification. This part is the theoretical foundation for further research.
The third part:Information security risk control system. This section focused on the process of information security, risk control. It also gave detailed explanation of every aspect including:mode and measure of information security risk control.
The fourth part:Sorting of information security risk control measures. This section is the core part of the thesis which introduced security control P2DR model, SCP2DR2 model and gave a detail analysis of both models. The study classified the measures of risk control according to SCP2DR2 model for risk control and proposes sequence of control measures. Experts use a same type of risk control sorting on every kind of asset when facing the same threat. Then experts reuse assets on the control measures by the triangular fuzzy weights and the number of order theory, threat and vulnerability relationship, the impact of assets to calculate the weight of the threat. Ultimately get the process of information security risk control measures sequence.
The fifth part:Ranking model application in the enterprise. This section selected the type of protection control measure, combined with business specific examples, interpreting the process of sorting information security risk control measures.
The sixth part:Conclusion. This section is a summary part for the whole content. The thesis proposes the deficiency during the study and analysis for future research directions.
引文
[1]朱琪.IC制造的信息安全风险管理模型研究及实施应用[D].复旦大学,2010,3.4-5
[2]程建华.信息安全风险管理、评估与控制研究[D].吉林大学,2008,6.2-194
[3]于晓燕.信息安全风险管理模型的研究与应用[D].山东轻工业学院,2009,6.1-3
[4]黄景文.基于知识的信息安全风险评估研究[D].东华大学,2008,9.8-9
[5]崔书昆.关于信息安全风险管理理论与实践发展的一些思考[EB/OL]. http://www.itsec.gov.cn/docs/20090507143631367311.ppt, (2011-07)
[6]翟学荣,刘志刚,卞春.信息系统信息安全风险管理的发展趋势分析[J].农业网络信息,2002,12(2):116-118
[7]吴世忠.信息安全风险管理的动态与趋势[J].计算机安全,2007, (4)1-7
[8]余磊,杨斌,李瑶,谢海涛,高峰.信息安全战[M].北京:东方出版社,2010.9-16
[9]美国国家标准技术协会.信息安全风险管理指南[EB/OL]. http://www.efoshan.com/detail_news.asp?id=32229, (2011-7-9)
[10]李剑.信息安全培训教程[M].北京:北京邮电大学出版社,2008.5-8
[11]孙强,陈伟,王东红.信息安全管理全球最佳实务与实施指南[M].北京:清华大学出版社,2004.2-3
[12]阮慧,党德鹏.信息安全风险控制的PROMETHEE决策方法研究[J].计算机工程与应用,2010,46(22):103-106
[13]Michael E. Whitman, Herbert J. Mattord.信息安全[M].北京:清华大学出版社,2004.8-9
[14]吕俊杰.信息安全风险管理方法及应用[M].北京:知识产权出版社,2010.25-28
[15]沈昌祥,左晓栋.信息安全[M].浙江:浙江大学出版社,2007.
[16]王春东,杨宏,赵俊阁.信息安全管理[M].武汉:武汉大学出版社,2008.3-4
[17]周春生.企业风险与危机管理[M].北京:北京大学出版社,2007.3-4
[18]Scott E. Harrington, Gregory R. Niehaus.风险管理与保险[M].北京:清华大学出版社,2005.1-2
[19]吕俊杰,董红.信息安全风险控制的PROMETHEE决策方法研究[J].计算机工程与应用,2010,46(22):103-106
[20]王晓群.风险管理[M].上海:上海财经大学出版社,2002.15-17
[21]顾孟迪,雷鹏.风险管理(第二版)[M].北京:清华大学出版社,2009.5-6
[22]刘钧.风险管理概论[M].北京:中国金融出版社,2005.13-14
[23]郎庆斌,杨莉,孙毅.信息监理[M].北京:人民出版社,2005.213-216
[24]红戈尔.基于AHP方法的电子商务系统风险自评估模型研究[D].东北财经大学,2009,12.16-19
[25]国家质量监督检验检疫总局.信息安全风险管理指南[EB/OL]. http://down.51cto.com/data/161016, (2011-7-15)
[26]曹天杰,张永平,毕方明.计算机系统安全(第二版)[M].北京:高等教育出版社,2007.141-144
[27]曾海.P2MDR2网络安全防御模型的研究[J].湘潭大学自然科学学报,2005,(9):32-35
[28]赵冬梅.信息安全风险评估量化方法研究[D].西安电子科技大学,2007,10.38-42
[29]陈光.信息系统信息安全风险管理方法的研究[D].国防科学技术大学,2006,10.
[30]周文斌.基于角色访问控制的工作流管理系统的信息安全研究[D].同济大学,2007,12.
[31]程建华,靖继鹏.信息安全风险结构特征分析[J].情报科学,2008,26(3):459-463.
[32]汤永利,徐国爱,钮心忻,等.基于信息熵的信息安全风险分析模型[J].北京邮电大学学报,2008,31(2):50-53.
[33]廖年冬.信息安全动态风险评估模型的研究[D].北京交通大学,2009,9.
[34]王桢珍.基于智能规划的信息安全风险过程建模与评估方法[D].国防科学技术大学,2009,12.
[35]Ruefli T W, Collins J M. Risk Measures in Strategic Management Research [J]. Strategic Management Journa.1999, (20):167-194.
[36]Gauci D. Information Security:Risk and Reward[J]. Journal of Petroleum Technology,2007,59(5):36-39.
[37]David H. Extending the Risk process to Manage Opportunities [J].International Journal of Project Management,2002,20(3):235-245.
[38]Von Solmsa B, Von Solms R. From Information Security to Business Security [J]. Computers & Seeurity.2005,24(4):271-27.
[39]British Standard 7799:A Code of Practice For Information Security Management, Specification for Information Security Management Systems, http://www.c-cure.Org/bsfrmes.htm(2011-07-09)
[40]Innerhofer-Oberperfler F, Breu R. Using an enterprise architecture for IT risk management [C]. Proceedings of the ISSA 2006 Conference,2006.
[41]Breu R, Innerhofer-Oberperfler F. Quantitative assessment of enterprise security system [C]. Proceedings of the 2008 Third International Conference on Availability, Reliability and Security,2008.
[42]Breu R, Innerhofer-Oberperfler F. Model-based security analysis of health care networks [C]. eHealth2008—Medical Informatics Meets eHealth,2008.
[43]Bodin L D, Gordon L A, Loeb M P. Information security andrisk management [J]. Communications of the ACM,2008,51(4):64-68.
[2]程建华.信息安全风险管理、评估与控制研究[D].吉林大学,2008,6.2-194
[3]于晓燕.信息安全风险管理模型的研究与应用[D].山东轻工业学院,2009,6.1-3
[4]黄景文.基于知识的信息安全风险评估研究[D].东华大学,2008,9.8-9
[5]崔书昆.关于信息安全风险管理理论与实践发展的一些思考[EB/OL]. http://www.itsec.gov.cn/docs/20090507143631367311.ppt, (2011-07)
[6]翟学荣,刘志刚,卞春.信息系统信息安全风险管理的发展趋势分析[J].农业网络信息,2002,12(2):116-118
[7]吴世忠.信息安全风险管理的动态与趋势[J].计算机安全,2007, (4)1-7
[8]余磊,杨斌,李瑶,谢海涛,高峰.信息安全战[M].北京:东方出版社,2010.9-16
[9]美国国家标准技术协会.信息安全风险管理指南[EB/OL]. http://www.efoshan.com/detail_news.asp?id=32229, (2011-7-9)
[10]李剑.信息安全培训教程[M].北京:北京邮电大学出版社,2008.5-8
[11]孙强,陈伟,王东红.信息安全管理全球最佳实务与实施指南[M].北京:清华大学出版社,2004.2-3
[12]阮慧,党德鹏.信息安全风险控制的PROMETHEE决策方法研究[J].计算机工程与应用,2010,46(22):103-106
[13]Michael E. Whitman, Herbert J. Mattord.信息安全[M].北京:清华大学出版社,2004.8-9
[14]吕俊杰.信息安全风险管理方法及应用[M].北京:知识产权出版社,2010.25-28
[15]沈昌祥,左晓栋.信息安全[M].浙江:浙江大学出版社,2007.
[16]王春东,杨宏,赵俊阁.信息安全管理[M].武汉:武汉大学出版社,2008.3-4
[17]周春生.企业风险与危机管理[M].北京:北京大学出版社,2007.3-4
[18]Scott E. Harrington, Gregory R. Niehaus.风险管理与保险[M].北京:清华大学出版社,2005.1-2
[19]吕俊杰,董红.信息安全风险控制的PROMETHEE决策方法研究[J].计算机工程与应用,2010,46(22):103-106
[20]王晓群.风险管理[M].上海:上海财经大学出版社,2002.15-17
[21]顾孟迪,雷鹏.风险管理(第二版)[M].北京:清华大学出版社,2009.5-6
[22]刘钧.风险管理概论[M].北京:中国金融出版社,2005.13-14
[23]郎庆斌,杨莉,孙毅.信息监理[M].北京:人民出版社,2005.213-216
[24]红戈尔.基于AHP方法的电子商务系统风险自评估模型研究[D].东北财经大学,2009,12.16-19
[25]国家质量监督检验检疫总局.信息安全风险管理指南[EB/OL]. http://down.51cto.com/data/161016, (2011-7-15)
[26]曹天杰,张永平,毕方明.计算机系统安全(第二版)[M].北京:高等教育出版社,2007.141-144
[27]曾海.P2MDR2网络安全防御模型的研究[J].湘潭大学自然科学学报,2005,(9):32-35
[28]赵冬梅.信息安全风险评估量化方法研究[D].西安电子科技大学,2007,10.38-42
[29]陈光.信息系统信息安全风险管理方法的研究[D].国防科学技术大学,2006,10.
[30]周文斌.基于角色访问控制的工作流管理系统的信息安全研究[D].同济大学,2007,12.
[31]程建华,靖继鹏.信息安全风险结构特征分析[J].情报科学,2008,26(3):459-463.
[32]汤永利,徐国爱,钮心忻,等.基于信息熵的信息安全风险分析模型[J].北京邮电大学学报,2008,31(2):50-53.
[33]廖年冬.信息安全动态风险评估模型的研究[D].北京交通大学,2009,9.
[34]王桢珍.基于智能规划的信息安全风险过程建模与评估方法[D].国防科学技术大学,2009,12.
[35]Ruefli T W, Collins J M. Risk Measures in Strategic Management Research [J]. Strategic Management Journa.1999, (20):167-194.
[36]Gauci D. Information Security:Risk and Reward[J]. Journal of Petroleum Technology,2007,59(5):36-39.
[37]David H. Extending the Risk process to Manage Opportunities [J].International Journal of Project Management,2002,20(3):235-245.
[38]Von Solmsa B, Von Solms R. From Information Security to Business Security [J]. Computers & Seeurity.2005,24(4):271-27.
[39]British Standard 7799:A Code of Practice For Information Security Management, Specification for Information Security Management Systems, http://www.c-cure.Org/bsfrmes.htm(2011-07-09)
[40]Innerhofer-Oberperfler F, Breu R. Using an enterprise architecture for IT risk management [C]. Proceedings of the ISSA 2006 Conference,2006.
[41]Breu R, Innerhofer-Oberperfler F. Quantitative assessment of enterprise security system [C]. Proceedings of the 2008 Third International Conference on Availability, Reliability and Security,2008.
[42]Breu R, Innerhofer-Oberperfler F. Model-based security analysis of health care networks [C]. eHealth2008—Medical Informatics Meets eHealth,2008.
[43]Bodin L D, Gordon L A, Loeb M P. Information security andrisk management [J]. Communications of the ACM,2008,51(4):64-68.