信息系统安全评估管理系统
|
摘要
如今,随着信息技术在全球的全面普及,信息技术方便了我们的生活、学习、工作和娱乐,但是,与此同时,信息系统也面临着越来越多的安全问题。据有关报导显示,世界平均每5秒钟就有一个网页被病毒感染,每20秒就会发生一起黑客事件,可见信息系统安全正在承受着很大的压力。通过对信息系统进行安全评估可以得到该信息系统的实际安全性能,帮助用户清楚的认识信息系统的安全现状并对信息系统的薄弱环节给出对应的改进措施和加固方案。
本文在对国内外信息系统安全评估标准研究的基础上,提出设计了信息系统安全评估管理系统的方案,最后应用SSH的开发架构开发了基于J2EE的信息系统安全评估管理系统各层的实验方法,开发了原型系统。
1、信息系统安全评估指标权重和专家权重分析。利用层次分析法和群组AHP聚类分析的方法对评估指标权重和专家权重进行分析计算。
2、信息系统安全评估管理系统的设计。本着实用性、安全可靠性、伸缩性和易用性四个原则,采用B/S体系结构,运用J2EE和SSH技术,利用生命周期的瀑布模型的方法,对信息系统安全评估管理系统进行设计。
3、信息系统安全评估管理系统的实现。使用My eclipse,Tomcat, Oracle等软件对系统设计进行实现。
总而言之,信息系统安全评估采用层次分析法与模糊统计相结合的方法,让安全评估系统具有较高的灵活性,较强的可操作性,使得综合评估的结果更加的客观、准确。并通过评估实例来验证系统是切实可行的。
Nowadays, with the global spread of information technology, the way of our lives, learning, work and play has been facilitated. At the same time, however, information system is faced with a growing number of security problems. Relative reports show that one net page is infected by virus every5seconds in average world wildly, one hacker event occurs every20seconds, showing that the security of information systems are under considerable threaten. By conducting the assessment of information systems, we can access the actual safety-secure ability of information system, helping customers have a clear understanding of the information system safety status, and giving out the suitable measures for the improvement and strengthening of our information system.
Based on the domestic and international research of information systems security evaluation criteria, this paper provides a set of design for management system of information system security evaluation program. In the final part, through the application of develop framework of SSH, it develops an experimental methods for the layers of a J2EE-based management system of information system security evaluation program, and develops a prototype system.
1. The index weight and expert weight analyze of the information system security evaluation:by the analytic hierarchy process and clustering analysis of group AHP, it analyses and calculates the index weights and expert weights.
2. The design for the management system of information system security evaluation program:under the four principles of practicality, reliability, scalability, and ease of use, using B/S architecture and J2EE and SSH technology, through the method of the life cycle waterfall model, it designs management system of information system security evaluation program.
3. The realization of management system of information system security evaluation program:the realization is from designing system by using My eclipse, Tomcat, Oracle and other software.
All in all, the information system security assessment using the analytic hierarchy process and fuzzy statistical method, makes the safety assessment system with greater flexibility, strong operability, making the results of composite assessment more objective and accurate. And testing the system by evaluating the instance is feasible.
本文在对国内外信息系统安全评估标准研究的基础上,提出设计了信息系统安全评估管理系统的方案,最后应用SSH的开发架构开发了基于J2EE的信息系统安全评估管理系统各层的实验方法,开发了原型系统。
1、信息系统安全评估指标权重和专家权重分析。利用层次分析法和群组AHP聚类分析的方法对评估指标权重和专家权重进行分析计算。
2、信息系统安全评估管理系统的设计。本着实用性、安全可靠性、伸缩性和易用性四个原则,采用B/S体系结构,运用J2EE和SSH技术,利用生命周期的瀑布模型的方法,对信息系统安全评估管理系统进行设计。
3、信息系统安全评估管理系统的实现。使用My eclipse,Tomcat, Oracle等软件对系统设计进行实现。
总而言之,信息系统安全评估采用层次分析法与模糊统计相结合的方法,让安全评估系统具有较高的灵活性,较强的可操作性,使得综合评估的结果更加的客观、准确。并通过评估实例来验证系统是切实可行的。
Nowadays, with the global spread of information technology, the way of our lives, learning, work and play has been facilitated. At the same time, however, information system is faced with a growing number of security problems. Relative reports show that one net page is infected by virus every5seconds in average world wildly, one hacker event occurs every20seconds, showing that the security of information systems are under considerable threaten. By conducting the assessment of information systems, we can access the actual safety-secure ability of information system, helping customers have a clear understanding of the information system safety status, and giving out the suitable measures for the improvement and strengthening of our information system.
Based on the domestic and international research of information systems security evaluation criteria, this paper provides a set of design for management system of information system security evaluation program. In the final part, through the application of develop framework of SSH, it develops an experimental methods for the layers of a J2EE-based management system of information system security evaluation program, and develops a prototype system.
1. The index weight and expert weight analyze of the information system security evaluation:by the analytic hierarchy process and clustering analysis of group AHP, it analyses and calculates the index weights and expert weights.
2. The design for the management system of information system security evaluation program:under the four principles of practicality, reliability, scalability, and ease of use, using B/S architecture and J2EE and SSH technology, through the method of the life cycle waterfall model, it designs management system of information system security evaluation program.
3. The realization of management system of information system security evaluation program:the realization is from designing system by using My eclipse, Tomcat, Oracle and other software.
All in all, the information system security assessment using the analytic hierarchy process and fuzzy statistical method, makes the safety assessment system with greater flexibility, strong operability, making the results of composite assessment more objective and accurate. And testing the system by evaluating the instance is feasible.
引文
[1]贺学智.基于模糊评价的信息安全评估方法的研究与实现[D].成都:电子科技大学,2010.
[2]施敏.上海重要信息系统安全监管制度的研究[D].上海:上海交通大学,2007.
[3]朱光涛.我国电子政务网络安全现状研究[D].北京:中国农业大学,2007.
[4]BS7799-1:1999, Information Security Management. Code of Practice for Information Security Management Systems[S]. British Standards Institute.
[5]BS7799-2:1999, Information Security Management. Specification for Information Security Management Systems[S]. British Standards Institute.
[6]国际标准化组织,国际电工委员会,ISO/IEC TR 13335信息技术-信息技术安全管理指导[S].2000.
[7]National Institute of Standards and Technology. Common Criteria for Information Technology Security Evaluation. Version 2.1 [S].1999.
[8]Canadian System Security Centre. The Canadian Trusted Computer Product Evaluation Criteria. Version 3.Oe[S].1993.
[9]GB/T 22239-2008,信息技术安全技术信息系统安全等级保护基本要求[S].中华人民共和国标准,2008.6.
[10]GB/T 22240-2008,信息技术安全技术信息系统安全等级保护定级指南[S].中华人民共和国标准,2008.6.
[11]GB/T 25058-2010,信息技术安全技术信息系统安全等级保护实施指南[S].中华人民共和国标准,2010.6.
[12]张竞.基于层次分析法的信息系统安全评估方法[D].上海:上海交通大学,2004.
[13]张灵莹.定性指标评价的定量化研究[J].系统工程理论与实践1998,18(7):98-101.
[14]采振祥.WEB内容自动生成技术在网络教学系统设计中的应用[J].电化教育研究,2003,(1):39-42.
[15]郭文明,相景丽,肖凯生.群组AHP权重系数的确定[J].华北工学院学报2000,21(2):110-113.
[16]周毅.信息系统安全评估算法和软件实现[D].上海:上海交通大学,2006.
[17]赵冬梅.信息安全风险评估量化方法研究[D].西安:西安电子科技大学,2007.
[18]黄洪.信息系统安全评估方法和技术研究[D].成都:四川大学,2005.
[19]廖年冬.信息安全动态风险评估模型的研究[D].北京:北京交通大学,2010.
[20]党德鹏,武建军,李树仁等.基于XML的信息安全风险评估系统研究与开发[J].计算机工程与设计,2010,31(13):2943-2965.
[21]胡丹,李洪兴,余先川.规则与规则库信息量的度量及其应用[J].中国科学,2009,(02):218-233.
[22]周波.信息安全风险评估技术的研究[D].南京:南京航空航天大学,2010.
[23]贺志.关联规则优化方法的研究[D].北京:北京交通大学,2007.
[24]谷勇浩.信息系统风险管理理论及关键技术研究[D].北京:北京邮电大学,2007.
[25]肖龙.信息系统风险分析与量化评估[D].成都:四川大学,2006.
[26]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法[J].软件学报,2006,(04):885-897
[27]杨宏宇,李勇,陈创希.基于模糊理论的信息系统风险计算[J].计算机工程,2007,(16):44-49
[28]Trusted Computer System Evaluation Criteria(TCSEC) [S]. US DoD 5200.28-STD,December 1985.
[29]ITSEC, Information Technology Security Evaluation Criteria, Version 1.2[S]. Office for Official Publications of the European Communities, June 1991.
[30]Common Criteria for Information Technology Security Evaluation, version 2.0, Common Criteria Editing Board[S]. May 1998.
[31]ISO/IEC 15408-1(1999-12), Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCITSE)-Part 1:General Mode][S].
[32]ISO/IEC 15408-2(1999-12), Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCITSE)-Part 2:Security Functional Requirements[S].
[33]ISO/IEC 15408-3(1999-12), Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCITSE)-Part 3:Security Assurance Requirements[S].
[34]ISO/IEC 17799:2000, Information Technology-code of Practice for Information Security Management[S].2000.12.
[35]Sangsoo Jang, Jaeill Lee, Sangkyun Kim. Common defects in information security management system of Korean companies [J]. Journal of Systems and Software, Volume 80, Issue 10, October 2007, Pages 1631-1638.
[36]Sara Kraemer, Pascale Carayon, John Clem. Human and organizational factors in computer and information security: Pathways to vulnerabilities [J]. Computers & Security, Volume 28, Issue 7, October 2009, Pages 509-520.
[37]DRI International. Professional Practices for Business Continuity Planners[EB/OL]. http://www. chinacissp.com/download/ProfessionalPractices.pdf 2002.
[2]施敏.上海重要信息系统安全监管制度的研究[D].上海:上海交通大学,2007.
[3]朱光涛.我国电子政务网络安全现状研究[D].北京:中国农业大学,2007.
[4]BS7799-1:1999, Information Security Management. Code of Practice for Information Security Management Systems[S]. British Standards Institute.
[5]BS7799-2:1999, Information Security Management. Specification for Information Security Management Systems[S]. British Standards Institute.
[6]国际标准化组织,国际电工委员会,ISO/IEC TR 13335信息技术-信息技术安全管理指导[S].2000.
[7]National Institute of Standards and Technology. Common Criteria for Information Technology Security Evaluation. Version 2.1 [S].1999.
[8]Canadian System Security Centre. The Canadian Trusted Computer Product Evaluation Criteria. Version 3.Oe[S].1993.
[9]GB/T 22239-2008,信息技术安全技术信息系统安全等级保护基本要求[S].中华人民共和国标准,2008.6.
[10]GB/T 22240-2008,信息技术安全技术信息系统安全等级保护定级指南[S].中华人民共和国标准,2008.6.
[11]GB/T 25058-2010,信息技术安全技术信息系统安全等级保护实施指南[S].中华人民共和国标准,2010.6.
[12]张竞.基于层次分析法的信息系统安全评估方法[D].上海:上海交通大学,2004.
[13]张灵莹.定性指标评价的定量化研究[J].系统工程理论与实践1998,18(7):98-101.
[14]采振祥.WEB内容自动生成技术在网络教学系统设计中的应用[J].电化教育研究,2003,(1):39-42.
[15]郭文明,相景丽,肖凯生.群组AHP权重系数的确定[J].华北工学院学报2000,21(2):110-113.
[16]周毅.信息系统安全评估算法和软件实现[D].上海:上海交通大学,2006.
[17]赵冬梅.信息安全风险评估量化方法研究[D].西安:西安电子科技大学,2007.
[18]黄洪.信息系统安全评估方法和技术研究[D].成都:四川大学,2005.
[19]廖年冬.信息安全动态风险评估模型的研究[D].北京:北京交通大学,2010.
[20]党德鹏,武建军,李树仁等.基于XML的信息安全风险评估系统研究与开发[J].计算机工程与设计,2010,31(13):2943-2965.
[21]胡丹,李洪兴,余先川.规则与规则库信息量的度量及其应用[J].中国科学,2009,(02):218-233.
[22]周波.信息安全风险评估技术的研究[D].南京:南京航空航天大学,2010.
[23]贺志.关联规则优化方法的研究[D].北京:北京交通大学,2007.
[24]谷勇浩.信息系统风险管理理论及关键技术研究[D].北京:北京邮电大学,2007.
[25]肖龙.信息系统风险分析与量化评估[D].成都:四川大学,2006.
[26]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法[J].软件学报,2006,(04):885-897
[27]杨宏宇,李勇,陈创希.基于模糊理论的信息系统风险计算[J].计算机工程,2007,(16):44-49
[28]Trusted Computer System Evaluation Criteria(TCSEC) [S]. US DoD 5200.28-STD,December 1985.
[29]ITSEC, Information Technology Security Evaluation Criteria, Version 1.2[S]. Office for Official Publications of the European Communities, June 1991.
[30]Common Criteria for Information Technology Security Evaluation, version 2.0, Common Criteria Editing Board[S]. May 1998.
[31]ISO/IEC 15408-1(1999-12), Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCITSE)-Part 1:General Mode][S].
[32]ISO/IEC 15408-2(1999-12), Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCITSE)-Part 2:Security Functional Requirements[S].
[33]ISO/IEC 15408-3(1999-12), Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCITSE)-Part 3:Security Assurance Requirements[S].
[34]ISO/IEC 17799:2000, Information Technology-code of Practice for Information Security Management[S].2000.12.
[35]Sangsoo Jang, Jaeill Lee, Sangkyun Kim. Common defects in information security management system of Korean companies [J]. Journal of Systems and Software, Volume 80, Issue 10, October 2007, Pages 1631-1638.
[36]Sara Kraemer, Pascale Carayon, John Clem. Human and organizational factors in computer and information security: Pathways to vulnerabilities [J]. Computers & Security, Volume 28, Issue 7, October 2009, Pages 509-520.
[37]DRI International. Professional Practices for Business Continuity Planners[EB/OL]. http://www. chinacissp.com/download/ProfessionalPractices.pdf 2002.