中小企业信息安全管理策略研究
|
摘要
在我国,2000人以下的企业归为中小企业,30000万元营业额以下的企业归为中小企业,资产总额小于40000万元的企业归为中小企业。满足任何一个指标,都是中小企业。本文从分析我国一些中小企业出发,指出了信息安全建设的重要性和必要性。首先对信息系统中的资源,包括硬件、软件、数据、文档等进行评估,然后,对系统可能受到的威胁,包括非授权访问、信息泄漏等进行分析,并提出了相应的安全管理策略;确定用户的权力和责任,包括账户使用方式、资源访问权限、口令应用以及建立备份等;确定系统管理员的权力和责任,包括物理安全、系统配置、账户设置及使用权限、口令管理、审计和监控、备份以及个人隐私等方面;最后提出技术支持方案。
然后,对企业信息安全管理策略规划按照中小企业特点,分别从管理体系、组织体系、技术体系加以论述,简化了原来按照程序策略、信息资源分级策略、标准访问定义策略、密码管理策略、网络安全策略、桌面策略、服务器平台策略和应用程序策略规划方式。
给出符合我国目前中小企业现状的信息安全管理策略实施、维护、完善方案。通过对信息安全管理模型的分析比较,本文提出了信息安全管理模型KEPDCA,并且得以成功应用。给出基于KEPDCA信息安全管理策略模型的中小企业信息管理方案,通过基于KEPDCA模型信息安全管理策略实证研究,得出论文所研究信息安全管理策略可以基本上解决目前我国中小企业信息安全管理问题。
总之,本文对中小企业信息安全管理策略的制定给出了较完整地解决方案。
In China, less than 2,000 people categorized as SMEs,300 million yuan turnover of enterprises to SMEs, total assets of less than 400 million yuan for the enterprises to SMEs. Meet any indicator, were SMEs. The article points out the importance and necessity of the information-security from its actuality in Security needs of some small and medium enterprise.The resources in the information system. For instance, hardware, software, data and so on are evaluated. And then, it analyses the menace including the no-authorized access, the information leak. The following are the corresponding control police:Confirm the users' rights and duties, including the mode of using account, the limit of accessing resource, the application of password, the building of backup; confirm the administrators' right and duties,including physical safety, system configuration, account configuration, password management,audit an control and backup;after it,offers Technical support program.
Then, to the enterprise information security management games plan according to the small and medium-sized enterprise characteristic, from the management system, the organization system, the technical system elaborated separately, simplifies has deferred to originally:Procedure strategy, information resource graduation strategy, standard visit definition strategy, password management games, cyber security policy, tabletop strategy, server platform strategy and application procedure strategy plan way.
Gives conforms to our country Present Small and medium-sized enterprise present situation information security management games implementation, the maintenance, the perfect plan. Through to the information security management model's analysis comparison, gives based on the K.EPDCA information security management games model small and medium-sized enterprise information management plan, through based on the KEPDCA model information security management games empirical study, obtains:The paper studies the information security management games to be possible to solve the present Our country Small and medium-sized enterprise information security management to ask.
In a word, the article presents a holistic resolving about SME's security tactics.
然后,对企业信息安全管理策略规划按照中小企业特点,分别从管理体系、组织体系、技术体系加以论述,简化了原来按照程序策略、信息资源分级策略、标准访问定义策略、密码管理策略、网络安全策略、桌面策略、服务器平台策略和应用程序策略规划方式。
给出符合我国目前中小企业现状的信息安全管理策略实施、维护、完善方案。通过对信息安全管理模型的分析比较,本文提出了信息安全管理模型KEPDCA,并且得以成功应用。给出基于KEPDCA信息安全管理策略模型的中小企业信息管理方案,通过基于KEPDCA模型信息安全管理策略实证研究,得出论文所研究信息安全管理策略可以基本上解决目前我国中小企业信息安全管理问题。
总之,本文对中小企业信息安全管理策略的制定给出了较完整地解决方案。
In China, less than 2,000 people categorized as SMEs,300 million yuan turnover of enterprises to SMEs, total assets of less than 400 million yuan for the enterprises to SMEs. Meet any indicator, were SMEs. The article points out the importance and necessity of the information-security from its actuality in Security needs of some small and medium enterprise.The resources in the information system. For instance, hardware, software, data and so on are evaluated. And then, it analyses the menace including the no-authorized access, the information leak. The following are the corresponding control police:Confirm the users' rights and duties, including the mode of using account, the limit of accessing resource, the application of password, the building of backup; confirm the administrators' right and duties,including physical safety, system configuration, account configuration, password management,audit an control and backup;after it,offers Technical support program.
Then, to the enterprise information security management games plan according to the small and medium-sized enterprise characteristic, from the management system, the organization system, the technical system elaborated separately, simplifies has deferred to originally:Procedure strategy, information resource graduation strategy, standard visit definition strategy, password management games, cyber security policy, tabletop strategy, server platform strategy and application procedure strategy plan way.
Gives conforms to our country Present Small and medium-sized enterprise present situation information security management games implementation, the maintenance, the perfect plan. Through to the information security management model's analysis comparison, gives based on the K.EPDCA information security management games model small and medium-sized enterprise information management plan, through based on the KEPDCA model information security management games empirical study, obtains:The paper studies the information security management games to be possible to solve the present Our country Small and medium-sized enterprise information security management to ask.
In a word, the article presents a holistic resolving about SME's security tactics.
引文
[1]Charles.Ppfieegershari Lawrence pfleeger,信息安全原理与应用(第三版):seeurity in computing third edition电子工业出版社,2004
[2]中华人民共和国公安部,2006年全国信息网络安全状况调查分析报告,http://www.ga.net.cn,2006
[3]高传善,钱松荣,毛迪林,数据通信与计算机网络,高等教育出版社,2000
[4]中华人民共和国公安部,信息网络安全保护工作知识手册,2004
[5]匿名等著,王东霞李蔚红等译,最高安全机密(第4版),机械工业出版社,2004
[6]Joel Scambray, Stuart McCluer著钟向群杨继张译,黑客大曝光,清华大学出版社,2002
[7]网络攻击检测技术方法和分类,网络安全期刊(3),http://www.qiehen.eon/laqqkiaq003.hmt2006年
[8]信息安全体系建设与服务过程,张耀疆,http://www.aryasec.com/Ismg002,2006
[9]RooK.P "Risk Management For Software Developmenf"ESCOM TUTORIAL,1993
[10]SEC seeurity offiee.OPSEC Primer,1999
[11]Federal Emergency Management Agency [FEMA] [OL], Emergency Management Institute..Unit 1:Introduction to ICS.Basic Incident Command System(ICS).Independent Study Course.IS-195., 1998, p.1-1-1-17
[12]JENKINSL. Selecting Scenarios for Environmental Disaster Planning [J].European ournal of Operational Research,2000,121 (2):275-286.
[13]PATRA A K. Influence of Wind Sspeed Profile and Roughness Parameters on the Downwind Extension of Vulnerable Zones During Dispersion of Toxic Dense Gases [J]. Journal of LossPrevention in the Process Industries,2006(19):495-497.
[14]ELBA U,BRIAN W.National Rview of Hurricane EvacuationPlans and Policies:a Comparison and Contrast of State Practice[sJ].Transportation Research Part A:Policy and Practice, 2003(37):257-275.
[15]RAMABRAHMAM B V,SWAMINATHAN G. Disaster Management Plan for Chemical Process Industries. Case study:Investigation of release of chlorine to atmosphere[J].Journal of Loss Prevention in the Process Industries,2005(13):57-62.
[16]RAMABRAHMAM B V,SWAMINATHAN B S,MALLIKARJUNAN M M.Model On-site Emergency Plan.Case Study:toxic Gas Release from an Ammonia Storage Terminal[J].J.Loss Prev.ProcessInd,1996,9(4):259-265.
[17]LALO A.Alerting the Population in Emergency Plans:Examples of Local Policy in Province[J].Journal of Hazardous Materials,2000,78:288-301.
[18]EISENMAN D P.WOLD C.FIELDING J,et al.Differences in Individual-level Terrorism Preparedness in Los Angeles Country[J]. American Journal of Preventive Medicine,2006,30(1):1-6.
[19]CRUZ F R B,SMITH J M,MEDEIROS R O.An M/G/C/CState-dependent Network Simulation Mode[J].Computers & Operations Research,2005,32(4):919-941.
[20]TAKASHI N.RYOICHI N.Statistical Characteristics of Evacuation Without Visibility in Random Walk Mode[1J].Physica,2004,341:638-648.
[21]RYOICHI N,TAKASHI N,MOTOSHIGE T A.Effect of Exitconfiguration on Evacuation of Room Without Visibility [J]. Physica,2004,343:712-724.
[22]Tohn M.A Comment on the "Basic Security and Tjerorem"of Bell and Lapaclnla Informattion Processing Letters.20.1985
[23]张千里,陈光英.网络安全新技术[M].人民邮电出版社,2003
[24]蒋春芳等.信息系统安全体系结构的有关问题研究[J].计算机应用,2004,1,138-140
[25]陈洪波.如何实现动态网络安全[J].西细腻网络安全,2001,1(2):15-20
[26]STRUNK J D, GOODSON G R, et al. Symposium on Operating Systems Design and Implementation,2000,165-180.
[27]TAKASHI N,RYOICHI N.Statistical Characteristics of Evacuation Without Visibility in Random Walk Mode[1J].Physica,2004,341:638-648.
[28]DIFFIE, W. and HELLMAN, M.E. IEEETransaction on Information Theory,2000,644-65
[29]冯健宏,谢汶.电力信息安全体系结构研究及安全[J].四川电力技术,2006,29(3)
[30]于良芝.图书馆学导论.北京:科学出版社,2003.8:135
[2]中华人民共和国公安部,2006年全国信息网络安全状况调查分析报告,http://www.ga.net.cn,2006
[3]高传善,钱松荣,毛迪林,数据通信与计算机网络,高等教育出版社,2000
[4]中华人民共和国公安部,信息网络安全保护工作知识手册,2004
[5]匿名等著,王东霞李蔚红等译,最高安全机密(第4版),机械工业出版社,2004
[6]Joel Scambray, Stuart McCluer著钟向群杨继张译,黑客大曝光,清华大学出版社,2002
[7]网络攻击检测技术方法和分类,网络安全期刊(3),http://www.qiehen.eon/laqqkiaq003.hmt2006年
[8]信息安全体系建设与服务过程,张耀疆,http://www.aryasec.com/Ismg002,2006
[9]RooK.P "Risk Management For Software Developmenf"ESCOM TUTORIAL,1993
[10]SEC seeurity offiee.OPSEC Primer,1999
[11]Federal Emergency Management Agency [FEMA] [OL], Emergency Management Institute..Unit 1:Introduction to ICS.Basic Incident Command System(ICS).Independent Study Course.IS-195., 1998, p.1-1-1-17
[12]JENKINSL. Selecting Scenarios for Environmental Disaster Planning [J].European ournal of Operational Research,2000,121 (2):275-286.
[13]PATRA A K. Influence of Wind Sspeed Profile and Roughness Parameters on the Downwind Extension of Vulnerable Zones During Dispersion of Toxic Dense Gases [J]. Journal of LossPrevention in the Process Industries,2006(19):495-497.
[14]ELBA U,BRIAN W.National Rview of Hurricane EvacuationPlans and Policies:a Comparison and Contrast of State Practice[sJ].Transportation Research Part A:Policy and Practice, 2003(37):257-275.
[15]RAMABRAHMAM B V,SWAMINATHAN G. Disaster Management Plan for Chemical Process Industries. Case study:Investigation of release of chlorine to atmosphere[J].Journal of Loss Prevention in the Process Industries,2005(13):57-62.
[16]RAMABRAHMAM B V,SWAMINATHAN B S,MALLIKARJUNAN M M.Model On-site Emergency Plan.Case Study:toxic Gas Release from an Ammonia Storage Terminal[J].J.Loss Prev.ProcessInd,1996,9(4):259-265.
[17]LALO A.Alerting the Population in Emergency Plans:Examples of Local Policy in Province[J].Journal of Hazardous Materials,2000,78:288-301.
[18]EISENMAN D P.WOLD C.FIELDING J,et al.Differences in Individual-level Terrorism Preparedness in Los Angeles Country[J]. American Journal of Preventive Medicine,2006,30(1):1-6.
[19]CRUZ F R B,SMITH J M,MEDEIROS R O.An M/G/C/CState-dependent Network Simulation Mode[J].Computers & Operations Research,2005,32(4):919-941.
[20]TAKASHI N.RYOICHI N.Statistical Characteristics of Evacuation Without Visibility in Random Walk Mode[1J].Physica,2004,341:638-648.
[21]RYOICHI N,TAKASHI N,MOTOSHIGE T A.Effect of Exitconfiguration on Evacuation of Room Without Visibility [J]. Physica,2004,343:712-724.
[22]Tohn M.A Comment on the "Basic Security and Tjerorem"of Bell and Lapaclnla Informattion Processing Letters.20.1985
[23]张千里,陈光英.网络安全新技术[M].人民邮电出版社,2003
[24]蒋春芳等.信息系统安全体系结构的有关问题研究[J].计算机应用,2004,1,138-140
[25]陈洪波.如何实现动态网络安全[J].西细腻网络安全,2001,1(2):15-20
[26]STRUNK J D, GOODSON G R, et al. Symposium on Operating Systems Design and Implementation,2000,165-180.
[27]TAKASHI N,RYOICHI N.Statistical Characteristics of Evacuation Without Visibility in Random Walk Mode[1J].Physica,2004,341:638-648.
[28]DIFFIE, W. and HELLMAN, M.E. IEEETransaction on Information Theory,2000,644-65
[29]冯健宏,谢汶.电力信息安全体系结构研究及安全[J].四川电力技术,2006,29(3)
[30]于良芝.图书馆学导论.北京:科学出版社,2003.8:135
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |