基于ISO20071的金融信息安全系统设计与实现

发布时间：2018-01-27 05:26

  本文关键词： 风险评估 风险管理 IS027001标准 信息安全管理体系 J2EE技术　出处：《电子科技大学》2014年硕士论文　论文类型：学位论文

【摘要】：随着计算机技术高速发展,网络安全也面临着重大挑战,特别是金融行业。金融行业中的网络安全问题是随着银行策略、组织架构、信息系统和操作流程的改变而改变。为了防止和减少风险,需要新的安全管理体系去预防金融网络安全的方法。全面风险管理作为金融业乃至信息安全也是新的管理方法,它采用了定性与定量考评方法的风险管理的模式实现银行内外环境变化风险评估。本论文以对金融类公司的调研为基础,结合金融类公司的实际需求进行了系统的需求分析,并可以根据用户的具体要求和未来可能需要添加的功能,该系统在体系结构上采用基于三层的B/S模式,数据层采用oracle数据库作为数据存储与管理,利用oracle管理系统大容量数据与保持数据一致性。Oracle强大的安全性与易用性为系统设计与数据存储提供了基础条件,在加上与J2EE技术的集合,使网页数据更新与后台数据库更新同步成为可能,有效扩展了金融业对外提供实时服务的可能性,在结构上采用基于SOA的多层软件设计和基于Struts和Hibernate的数据库中间件,并定义了统一的数据访问接口实现上层应用访问底层数据库,同时进行了基于UDDI注册服务中心的信息系统服务访问实现。在功能上,系统提供了良好的业务模块管理、数据库管理、数据容灾管理、风险计算管理、项目风险管理、项目信息管理页面,通过该页面可以实现信息增加、删除、修改,数据库容灾备份与恢复,自动生成项目风险报表,实现项目信息编集操作等。在论文最后通过IS027001评估用例与测试架构对金融信息安全风险评估测试。本系统主要研究ISO27001风险评估与风险管理相关理论,并结合银行风险评估与风险管理实际需求完成银行风险评估与风险指标量化,并重点将网络资产细化表、威胁明细表、网络安全威胁的风险系数矩阵的参考表用于银行安全风险、信息资产、系统脆弱性、安全预警、安全响应、网络安全管理、安全时间管理中,从而实现银行威胁及其脆弱性进行定性、定量的风险分析,对于研究银行信息安全具有普遍的意义。
[Abstract]:With the rapid development of computer technology, network security is also facing major challenges, especially in the financial industry. The network security problem in the financial industry is with the banking strategy, organizational structure. Changes in information systems and operating procedures. To prevent and mitigate risks. A new security management system is needed to prevent the financial network security. The overall risk management is also a new management method as the financial industry and even information security. It adopts the risk management model of qualitative and quantitative evaluation methods to realize the risk assessment of the change of internal and external environment of banks. This paper is based on the investigation of financial companies. Combined with the actual needs of financial companies, the system needs analysis, and according to the specific requirements of users and possible future needs to add functions, the system in the architecture of the system based on the three-tier B / S model. Data layer uses oracle database as data storage and management. Make use of oracle management system large capacity data and maintain data consistency. Oracle strong security and ease of use for the system design and data storage provides the basic conditions. With the combination of J2EE technology, it is possible to synchronize the update of web page data with the update of background database, which effectively expands the possibility of the financial industry providing real-time services to the outside world. In the structure, multi-tier software design based on SOA and database middleware based on Struts and Hibernate are adopted. The unified data access interface is defined to realize the upper application access to the underlying database. At the same time, the information system service access implementation based on UDDI registration service center is carried out. The system provides good business module management, database management, data disaster recovery management, risk calculation management, project risk management, project information management page, through which information can be added and deleted. Modify, database disaster recovery and backup, automatically generate project risk report. At the end of this paper, we test the financial information security risk assessment by using IS027001 evaluation case and test architecture. This system mainly studies ISO27001 risk assessment and testing. Theory of risk management. And combined with the actual needs of bank risk assessment and risk management to complete the bank risk assessment and risk index quantification, and focus on the network assets detailed table, threat list. The reference table of the risk coefficient matrix of network security threat is used in bank security risk, information assets, system vulnerability, security early warning, security response, network security management, security time management. Therefore, the qualitative and quantitative risk analysis of bank threat and its vulnerability is of universal significance for the study of bank information security.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08
，

本文编号：1467691