学生论文
|
论文查询结果 |
返回搜索 |
|
|
|
| 论文编号: | 8366 | |
| 作者编号: | 2120132974 | |
| 上传时间: | 2016/6/8 11:50:33 | |
| 中文题目: | J学院门户网站的信息安全风险管理研究 | |
| 英文题目: | Research on the Management of Information Security Risk in J College’s Portal Website | |
| 指导老师: | 安利平 | |
| 中文关键字: | 项目管理;信息系统安全;风险评估;风险管理 | |
| 英文关键字: | Project Management; Information System Security; Risk Assessment; Risk Management | |
| 中文摘要: | 信息化建设日新月异的今天,无论是内部的信息系统,还是对外开放的信息系统,信息安全问题都越发突出。门户网站,尤其是校园的门户网站,作为校园网最重要、最普遍的信息系统入口,本身软、硬件的脆弱性,以及外界各种不安全因素的渗入,都会导致信息泄露等安全事件的发生,这对校园门户网站信息的安全性和稳固性提出了严峻的考验。而相关调查数据显示,很多校园网站的信息安全都没有得到很好地管理,甚至是在安全问题出现后长期不能得到解决。如何对网站的信息安全进行风险管理,从而保障网站安全,是文章研究的出发点和着眼点。信息安全风险管理就是在分析风险的基础上,评估风险将会产生的影响,针对这些影响制定相应的应对方案,全面避开风险的影响,最终做到维护信息系统的安全稳定。在当前的环境中,针对信息安全方面风险管控的分析主要集中于风险评估。因此,可以把风险评估看做风险管理的关键,风险评估的研究主要集中在相关标准和具体模型方法上的研究上。虽然,标准各异,采取的方法也不同,但采用的信息安全风险管理流程是一样的。在风险分析中,具体的风险分析方法可分为三种:定性、定量、定性与定量结合。一般信息系统采取的都是定性与定量结合的风险分析方法,具体风险评估模型的选择上,可以采用相关国际标准或国家标准给出的模型,也可以根据实际应用建立。文章针对J学院门户网站的具体应用实例,结合项目风险管理和信息系统安全风险评估的理论,参照国家标准GB/T 20984-2007,从网站的运行维护角度出发,对网站的安全问题通过信息安全风险规划、风险识别、风险分析、风险应对以监控四个环节进行管理。在信息安全风险规划阶段,采取项目管理和项目风险管理的相关理论;在信息安全风险识别阶段,采取国家标准GB/T 20984-2007给出的资产、威胁、脆弱性三方面的识别方法,特别在资产的识别过程中,风险由资产的保密性、完整性和可用性3个安全属性达成的程度来决定,所以针对资产的赋值采取专家讨论法,采用网站的硬件资产识别和量化,根据资产的3个安全属性进行加权赋值,最终确定资产值,而威胁和脆弱性的识别和量化,也将具体实际和国家标准及相关文献结合,最终建立资产、威胁、脆弱性三者之间的联系;在信息安全风险分析阶段,代入国家标准给出的模型,采用矩阵法计算出该网站系统各项的风险值,从而鉴别出严重不可接受的风险,分析出该系统存在的各项风险点;在风险应对阶段,结合风险分析出的结果,通过专家讨论、专项针对等方法,提出合理的风险应对措施,并将网站的安全监控作为后续,把网站的安全风险管理常态化,从技术、人和管理三个方面,建立该学院网站的信息安全风险管理体系,并采取网站安全风险的全生命周期理论,重复循环,定期对网站的信息安全进行风险管理,完善了该学院网站的安全结构,更好地维护学院的网站安全。在安全措施的分析上可以发现,一些措施在之前就已存在并执行,但是由于人员管理和个人意识的疏忽,很多问题执行并不彻底,诸如在评估中被列为严重风险的大容量存储器不稳定风险,就是由于机房人员没有贯彻定期检查上报制度,对机房内的设备缺乏维护检查意识,推及评估结果中的很多严重风险,都是由于人的因素造成的;学院网站安全风险管理体系的建立是预防和应对风险的必然要求,同时,安全风险管理系统是面向全类型风险的解决方案,在考虑风险时,既要考虑传统的风险来源,也要考虑人力和服务危机,既要预防来自外部的网络攻击,也要应对管理等模糊性危机。在宏观系统的指导下,风险管理系统还应将风险管理系统与相应组织机构和安全事件响应预案结合起来,充分发挥人和管理制度在风险管理中的重要作用。进而,针对J学院网站当前运行期较长的具体情况,学院网站系统遇到的风险是随机不确定的,不妨采取安全事件生命周期的理论对安全事件进行管理,安全事件的生命周期分为:风险事件发生前、风险事件发生时和风险事件发生后三个阶段。在网站的信息安全事件发生前,需做好事前的风险评估做预防,具体风险管理方式仍然采用最基础的风险评估方法;而在风险事件发生时通过适时的监测响应来减少事态严重性;并在事后进行归纳纠正,使系统恢复安全状态的同时,能够有更高的抗风险能力,并且需要注意的是,每次风险发生后,都可对发生风险的事前、事中、事后进行文档记录,最终形成风险事件的风险应对知识库,从而对信息系统的所有风险提供可参照样本。论文在研究过程中,较多地借鉴了国家标准GB/T 20984-2007的风险评估模型和方法,定性为主、定量为辅地识别评估了风险,在下一步的研究过程中,可采取定量的方法减少定性分析的主观性;在具体数据的分析研究上,可加强对数据分析工具的利用,诸如采用数据分析工具和云安全数据;而针对网站的安全事件,也可以采取网站攻防双方的角度进行,具体分析过程可利用博弈论。综上,文章通过实例研究,对学院网站采取安全风险管理的方法加强网站安全,建立该网站的信息安全风险管理体系,贯穿在安全管理始终,具有一定的实践意义,对其他院校的网站安全管理也有一定的参考性。 | |
| 英文摘要: | The informatization construction changes quickly today. Whether it is internal or open information system, the information security problem becomes increasingly prominent. Web portals, especially the campus web portals, are the most important and common information system entry of campus network. The vulnerability in its own hardware and software, and penetration of various unsafe factors from the outside world will all lead to security incidents such as information leakage. Thus, it brings forward a serious challenge for the information security and soundness of campus portals. In addition, relative survey data show that a lot of campus websites' information security has been managed well, or even security problems cannot be solved for a long time after their occurrence. How to conduct risk management on websites' information security and ensure websites' security is the starting point and focus of research in this paper. Information security risk management is on the basis of risk analysis, and ultimately to achieve the security and stability of all the systems. In the current environment, the analysis of risk management and control in regard to information security is mainly focused on risk assessment. Therefore, risk assessment can be regarded as the key, and the research of risk assessment is mainly focused on the research of relevant standards and specific model methods. Although the standards and methods are different, the information security risk management process is the same. In the risk analysis, the specific risk analysis method can be divided into three kinds: qualitative, quantitative, qualitative and quantitative combination. Taken by the general information system, it always take the combination of qualitative and quantitative risk analysis method, the selection of specific risk assessment model, we can use the model of relevant international standards or national standards,or take the accurate model in some cases. In this paper, it focuses on the concrete application examples of J College's web portal, combines with the project risk management and information system security risk assessment theory, and refers to the National Standard GB/T20984-2007.Especially in the process of recognizing assets, risk are determined by the degrees of achieving three security attributives: asset’s confidentiality, completeness and practicability. Therefore, this paper adopts the expert discussion method targeting at the asset’s assigned value and adopts the website’s hardware assets for recognition and quantification. It offers the weighted value to asset’s three security attributives and eventually determines the value of asset. From the angle of the website operation maintenance, it conducts management on the website security problems from 4 parts, including information security risk planning, risk identification, risk analysis, risk response and monitoring. In the information security risk planning stage, it adopts relative theories of project management and project risk management. In information security risk identification stage, it adopts the National Standard GB/T 20984-2007 to present the identification methods in three aspects of assets, threat and vulnerability. Especially in the process of the assets identification, according to the actual operation situation of the college website, it conducts identification and quantification of website hardware assets as well as threat and vulnerability. It would also combine with concrete reality, national standards and literature, and finally establishes the connection between assets, threat and vulnerability. In information security risk analysis stage, it puts into the models given in the national standards, and adopts the matrix method to calculate the risk value of the various parts of the website system. In this way, it identifies the serious, unacceptable risks and analyzes the various risks existing in the system. In the risk response stage, combined with the results of risk analysis, through methods like expert discussion and special strategy, it puts forward reasonable risks response measures. Then, it takes the website security monitoring as a follow-up, and normalizes website security risk management. From three aspects of technology, personnel and management, it establishes information security risk management system of the college website, and improves its security architecture model, in order to better maintain and manage the college website security. In the analysis of security measures, some measures have been existed before and executed, but due to personnel management and personal awareness of negligence, many problems are not completely solved, such as large capacity memory listed in the assessment for the serious risk, is due to the personnel who are lack of awareness did not carry out regular inspection reporting system . Many serious risks and evaluation results, are caused by human factors; the college website security risk management system is the inevitable requirement to prevent and deal with the risks at the same time, the security risk management system is a solution for all types of risks. It is necessary to consider the traditional sources of risk,as well as the parts of human and service crisis, to prevent cyber attacks from the outside. Under the guidance of the macro system, organizations and security incident response plan both give full play to the important role in the risk management. For the long operation period of J college website, meeting kinds of uncertain risks, it is necessary to take the security incident lifecycle theory to keep the system safe. Security events of life cycle is divided into: before the risks, risks occur and after the risks these three stages. Before the risks, risk management methods are used to prevent the risks happening; once risks occur, timely monitoring response is associated to reduce the severity; after risks, the system should restore, and at the same time, should have more high ability to resist risks.During these three stages, the file record taking can be part of the experience base, giving examples to other cases about the safety of websites. During the course of the study, the national standard GB / T 20984-2007 risk assessment giving the model and method of risk assess, it should take more models and methods in the process of research, and take some quantitative methods to reduce the subjectivity qualitative analysis; in the data analysis and research, it should take more attention to enhance the use of data analysis tools, such as using the data analysis tools and the security of the cloud data; and the game theory can be used if we consider the safety from the two parts:the offensive and the defensive. To sum up, the case study on the College Website security risk management enhance the security of the college website, and establish the sites’ risk management system.From the beginning to the end, it has its practical significance, and reference to other sites’ safety management. | |
| 查看全文: | 预览 下载(下载需要进行登录) |